by Svenja Koch
The US authority CISA has issued a security warning and warns of attacks with malicious code via the widely used npm libraries. Where and how did the infection take place?
In which npm library is the malicious code present?
Who is affected and how does the infected npm library get onto target computers?
What is the function of the malicious code placed by the attackers in the npm library?
From analyses of the open source code, it can be seen what function the code has that the hackers placed in the library. In the course of Saturday, i.e. one day after the CISA security warning, it became apparent that two components are involved. Both are scripts that trigger a download of executable files and execute them on the target system.
The first component loads a so-called mining tool for cryptocurrencies onto the computer and starts it. Mining tools generate units in cryptocurrencies such as Bitcoin by providing computing power. In this way, these programmes exchange computing time for monetary benefits. The mining tool fully loads the computer, which leads to unpleasant side effects. For example, programmes react more slowly, the main memory is filled and the power consumption increases enormously in some cases. Thus, real costs also arise for the owners of such computers that are infected with a mining tool. The attackers probably combine the compromised computers into a botnet and thus concentrate the computing power. In this way, the hackers maximise the computing power as well as the financial benefits from the attack. At the end of October 2021, the value of a Bitcoin is over 50,000 euros, so such large-scale attacks with mining tools are well worthwhile.
The second component is a Trojan. This seems to only run under Windows operating systems. The Trojan steals access data from the user's browser and sends it to the attackers. During observations of infected computers, it was found that the malware exports the database of the Chrome browser, which contains information about local cookies.
This second function of the malicious code is thus significantly more dangerous for the affected computer owners. While the mining tool does affect the use of the PC, the Trojan has the potential to steal access data for online banking, email accounts or company passwords.
What measures are necessary?
In such a case, the safest thing to do is to completely isolate the computer immediately. All passwords, both local and for web services, must be changed, as the hackers may have control over the accounts. It is important to do this with a computer that is not infected. To clean up the infected computer with certainty, it is necessary to reinstall the operating system. This is the only way to ensure that the malware is no longer embedded in the operating system.
Open source software in particular is considered secure because the entire source code of all parts of the programme, including the libraries used, is publicly accessible. At the same time, IT security experts have often pointed out the vulnerability of repositories like npm. The current example and the CISA security warning show that hackers are quite successful with attacks on repositories.
The actual infection is comparatively simple. It is sufficient to gain control over the GitHub account of a software developer who manages a library. There are numerous known possibilities for this, such as phishing or social engineering. The infiltration of the malicious code and the upload to GitHub are then a matter of minutes. A lot of time passes before the software developer responsible reacts or a third party notices the hack. During this time, it is likely that the malicious code has already found its way onto the computers of unsuspecting users. The Weak Link is thus a single private individual, with the impact, as in this case, affecting even the largest IT companies in the industry, from Amazon to IBM to Microsoft.