Cybercriminals have discovered a new technique to introduce their malicious code into NPM packages by using abandoned AWS S3-bakers. This allows them to replace the binary files needed for the packages to operate, without altering the source code.
Checkmarx experts have detected an attack on the BigNum package, which was distributed by a malicious binary file that abducted users’ personal data and sent it to the captured S3-backet. This illustrates the growing interest of cybercriminals in the software supply chain, which enables them to quickly reach a large number of potential victims. The researchers also found dozens of other NPM packages that are susceptible to the same threat.
AWS S3-bakers are cloud data storage facilities that can be utilized for hosting websites or backup data. Builders are accessible at unique URL addresses, but the owners can forget about the storage or stop using it. The cybercriminals can then capture the backet and change its contents.
The BigNum package employed the Node-GYP tool to download a binary file from the S3-backet. When the backet became unavailable, the attacker captured it and placed his malicious binary file there. When users reinstalled or uploaded the BigNum package, they also uploaded the attacker’s file. The malicious binary file, written in C++, functioned in the same manner as the original file but also collected users’ accounting data and sent it to the compromised S3-backet.
These recent attacks show the significance of monitoring the security of S3-backets and not leaving them unattended. It is also necessary to examine the sources of binary files that are reloaded from NPM packages. NPM users can use special tools like NPM Auditor and Snyk to identify vulnerabilities in their dependencies.