- 17 NPM packages with more than one million weekly downloads were compromised to deliver a rat
- The attack could turn into a larger supply chain attack, warned experts
- The packages had since been printed but users should be on their guard
More than a dozen packages on NPM were poisoned with a remote access Trojan (Rotte), possibly infected millions of projects.
Cybersecurity scientists Aikido Security recently discovered malicious code buried very deeply in 17 popular gluestack packages.
The packages cumulatively have more than a million downloads weekly, which means that huge amounts of users may be affected, the experts warned.
Revocation of the access tokens
Here is the full list of compromised packages:
- @React-Native-Aria/Button
- @React-Native-Aria/Check box
- @React-Native-ARIA/COMBOBOX
- @React-native-aria/disclosure
- @React-Native-Aria/Focus
- @React-Native-Aria/Interactions
- @React -native -aria/Listbox
- @React-Native-Aria/Menu
- @React-Native-Aria/Overlays
- @React-Native-Aria/Radio
- @React-Native-Aria/Switch
- @React-Native-ARIA/CHANGE
- @React-Native-ARIA/UNDUSS
- @Gluestack-Ui/Utils
- @React-Native-Aria/Separator
- @React-Native-Aria/Slider
- @React-Native-Aria/Tabs
The packages implemented malicious code that connected to the attackers’ command-and-control (C2) and received additional commands, including the ability to upload a single or more files.
In addition, the Trojan can perform Windows -path -struggle and silent override legitimate python and pip commands.
In response, Gluestack recalled an access token used to publish the compromised packages. All the poisoned tools are marked on NPM as outdated.
“Unfortunately, it wasn’t possible because of dependent packages,” a glueStack developer who did not publish the compromised version due to dependent packages, “said a gluestack developer.”
Node Package Manager (NPM) is the standard package manager for JavaScript Runtime Environment Node.js. It is used to install libraries, share packages with society, control dependencies, run scripts and more.
As such, it is very popular to have millions of monthly visitors and hundreds of thousands of registered accounts that often publish their packages.
Unfortunately, popular platforms attract threat players in hop time, and situations like this are not uncommon on NPM or similar platforms such as Github or Pypi.
Via Bleeping computer
