Four packages containing highly obfuscated malicious Python and JavaScript code were discovered this week in the Node Package Manager (npm) repository.
According to a report
from Kaspersky, the malicious packages spread the “Volt Stealer” and “Lofy Stealer” malware, collecting information from their victims, including Discord tokens and credit card information, and spying on them over time.
Volt Stealer is used to steal Discord tokens and harvest people’s IP addresses from the infected computers, which are then uploaded to malicious actors via HTTP.
Lofy Stealer, a newly developed threat, can infect Discord client files and monitor the victim’s actions. For example, the malware detects when a user logs in, changes email or password details, or enables or disables multifactor authentication (MFA). It also monitors when a user adds new payment methods, and will harvest full credit card details. The collected information is then uploaded to a remote endpoint.
The package names are “small-sm,” “pern-valids,” “lifeculer,” and “proc-title.” While npm has removed them from the repository, applications from any developer who already downloaded them remain a threat.
Hacking Discord Tokens
Targeting Discord provides a lot of reach because stolen Discord tokens can be leveraged for spear-phishing attempts on victims’ friends. But Derek Manky, chief security strategist and vice president of global threat intelligence at Fortinet’s FortiGuard Labs, points out that the attack surface will of course vary among organizations, depending on their use of the multimedia communications platform.
“The threat level would not be as high as a Tier 1 outbreak like we have seen in the past — for example, Log4j — due to these concepts around the attack surface associated with these vectors,” he explains.
Users of Discord have options to protect themselves from these kinds of attacks: “Of course, like any application that is targeted, covering the kill chain is an effective measure to reduce risk and threat level,” Manky says.
This means having policies set up for appropriate usage of Discord according to user profiles, network segmentation, and more.
Why npm Is Targeted for Software Supply Chain Attacks
The npm software package repository has more than 11 million users and tens of billions of downloads of the packages it hosts. It’s used both by experienced Node.js developers and people using it casually as part of other activities.
The open source npm modules are used both in Node.js production applications and in developer tooling for applications that wouldn’t otherwise use Node. If a developer inadvertently pulls in a malicious package to build an application, that malware can go on to target the end users of that application. Thus, software supply chain attacks like these provide more reach for less effort than targeting an individual company.
“That ubiquitous use among developers makes it a big target,” says Casey Bisson, head of product and developer enablement at BluBracket, a provider code security solutions.
Npm doesn’t just provide an attack vector to large numbers of targets, but that the targets themselves extend beyond end users, Bisson says.
“Enterprises and individual developers both often have greater resources than the average population, and lateral attacks after gaining a beachhead in a developer’s machine or enterprise systems are generally also rather fruitful,” he adds.
Garwood Pang, senior security researcher at Tigera, a provider of security and observability for containers, points out that while npm provides one of the most popular package managers for JavaScript, not everyone is savvy in how to use it.
“This allows developers access to a huge library of open source packages to enhance their code,” he says. “However, due to the ease of use and the amount of listing, an inexperienced developer can easily import malicious packages without their knowledge.”
It’s no easy feat, though, to identify a malicious package. Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, cites the sheer quantity of components making up a typical NodeJS package.
“Being able to identify correct implementations of any functionality is challenged when there are many different legitimate solutions to the same problem,” he says. “Add in a malicious implementation that can then be referenced by other components, and you’ve got a recipe where it’s difficult for anyone to determine if the component they are selecting does what it says on the box and doesn’t include or reference undesirable functionality.”
More Than npm: Software Supply Chain Attacks on the Rise
Major supply chain attacks have had a significant impact on software security awareness and decision making, with more investment planned for monitoring attack surfaces.
Mackey points out that software supply chains have always been targets, particularly when one looks at attacks targeting frameworks like shopping carts or development tooling.
“What we’re seeing recently is a recognition that attacks we used to categorize as malware or as a data breach are in reality compromises of the trust organizations place in the software they’re both creating and consuming,” he says.
Mackey also says that many people assumed that software created by a vendor was entirely authored by that vendor, but, in reality, there could be hundreds of third-party libraries making up even the simplest software — as came to light with the Log4j fiasco.
“Those libraries are effectively suppliers within the software supply chain for the application, but the decision to use any given supplier was made by a developer solving a feature problem and not by a businessperson focused on business risks,” he says.
That’s prompted calls for the implementation of software bills of materials (SBOMs). And, in May, MITRE launched
a prototype framework for information and communications technology (ICT) that defines and quantifies risks and security concerns over the supply chain — including software.
