Phylum Discovers Sophisticated Ongoing Attack on NPM
Contents
Phylum Discovers Sophisticated Ongoing Attack on NPM
On June 11, Phylum’s automated risk detection platform alerted us to a peculiar pattern of publications on NPM. The packages in question seem to be published in pairs, each pair working in unison to fetch additional resources which are subsequently decoded and/or executed. At the time of this writing, we have yet to fully unravel the mystery, but we invite you to follow along as we share the discoveries we’ve made so far.
--cta--
Background
The attack chain starts in the
package.json file with a simple
preinstall hook that looks something like this:
{ "name": "chart-tablejs", "version": "1.0.1", "description": "", "main": "index.js", "scripts": { "test": "echo \\"Error: no test specified\\" && exit 1", "preinstall": "npm install sync-request && node main.js" }, "author": "", "license": "ISC", "dependencies": { "sync-request": "^6.1.0" } }
As you can see above, this first installs a library called sync-request directly in the
preinstall hook and then immediately runs …
On June 11, Phylum’s automated risk detection platform alerted us to a peculiar pattern of publications on NPM. The packages in question seem to be published in pairs, each pair working in unison to fetch additional resources which are subsequently decoded and/or executed. At the time of this writing, we have yet to fully unravel the mystery, but we invite you to follow along as we share the discoveries we’ve made so far.
--cta--
Background
The attack chain starts in the
package.json file with a simple
preinstall hook that looks something like this:
{ "name": "chart-tablejs", "version": "1.0.1", "description": "", "main": "index.js", "scripts": { "test": "echo \\"Error: no test specified\\" && exit 1", "preinstall": "npm install sync-request && node main.js" }, "author": "", "license": "ISC", "dependencies": { "sync-request": "^6.1.0" } }
As you can see above, this first installs a library called sync-request directly in the
preinstall hook and then immediately runs …
IoC
http://bi2price.com
http://npmcloudjs.com
http://npmjsregister.com
http://npmjsregister.com
http://npmrepos.com
http://tradingprice.net
https://bi2price.com/getfullhistory.php
https://tradingprice.net/checktoken.php
http://npmcloudjs.com
http://npmjsregister.com
http://npmjsregister.com
http://npmrepos.com
http://tradingprice.net
https://bi2price.com/getfullhistory.php
https://tradingprice.net/checktoken.php