Attackers are exploiting a serious vulnerability that, since August, has allowed them to access an NPM code repository containing more than 100 credential theft packages, mostly without detection.
Nakhodka, laid out On Wednesday, security firm Koi is highlighting an NPM practice that allows installed packages to automatically remove and run untrusted packages from untrusted domains. Koi said the campaign he was tracking was where PhantomRaven used NPM's use of “removed dynamic dependencies” to flood NPM with 126 malicious packages that were downloaded over 86,000 times. About 80 of those bags remained as of Wednesday morning, Coie said.
Blind spot
“PhantomRaven demonstrates how sophisticated attackers are becoming [better] “Removed dynamic dependencies are not visible to static analysis,” wrote Oren Yomtov of Koi.
Remote dynamic dependencies provide greater flexibility in accessing dependencies—code libraries that are required for many other packages to work. Typically, dependencies are visible to the developer installing the package. They are typically loaded from a trusted NPM infrastructure.
RDD works differently. It allows the package to download dependencies from untrusted websites, even those connecting via unencrypted HTTP. PhantomRaven attackers took advantage of this leniency by including code in 126 packages uploaded to NPM. The code downloads malicious dependencies from URLs including http://packages.storeartifact.com/npm/unused-imports. Coie said these dependencies are “invisible” to developers and many security scanners. Instead they show that the package contains “0 dependencies”. The NPM feature ensures that these invisible downloads are installed automatically.
Compounding the weakness, the dependencies are downloaded “fresh” from the attacker's server each time the package is installed, rather than being cached, versioned, or otherwise static, as Coy explained:
