Don’t miss out on our latest stories. Add PCMag as a preferred source on Google.
A hacker has managed to infect over a dozen widely used software packages with a crypto-looting malware after successfully phishing the programmer responsible for maintaining them.
This morning, the malware was found in 18 software modules that together have been downloaded 2 billion times per week, according to Aikido Security. The problem affects a group of popular “npm packages” that provide essential functionality for JavaScript projects, such as converting fonts and adding colors to text.
The programmer responsible for maintaining the npm packages, Josh Junon, posted on Monday, “Yep, I’ve been pwned,” attributing the hack to a phishing email, which was apparently sent to multiple users. The phishing email pretended to come from the official npmjs.com domain, which GitHub owns, by using the official logos. But in this case, the phishing email originated from a fake domain at npmjs[.]help.
(Credit: Aikido Security)
The attack also worked by posing as a security-related alert, urging the recipient to update their two-factor authentication. The phishing email included a link that appears to have led to a hacker-controlled domain, which then stole access to Junon’s account to maintain the npm packages.
The breach prompted Aikido Security to describe it as “the largest supply chain compromise in npm history.” However, the computer programming community was quick to flag the issue after the affected npm packages were found to contain malicious processes. Some of the affected npm packages have already been removed.
“As these versions were only available for a short period of time and (based on data from npm) did not have any downloads, the impact of this malware is likely minimal,” according to security app provider Semgrep.
Recommended by Our Editors
This Tweet is currently unavailable. It might be loading or has been removed.
Meanwhile, BleepingComputer reports that a software project would have needed to fulfill three criteria in order to have been affected with malware, limiting the attack’s impact.
“The compromise was significant. But the payload was amateur-grade. My honest opinion: all they had was access – not skill,” added security researcher Florian Roth. Still, there are some signs the hacker may have successfully targeted other npm package maintainers.
The hacker’s malware focuses on stealing cryptocurrency by hijacking and manipulating the user’s browser. “Simply put, the actor swaps any crypto transactions to their own address, redirecting any currency to their accounts,” another app security provider named Socket said.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Michael Kan
Senior Reporter
