New IronWorm Malware Hits 36 Packages In npm Supply-Chain Attack (bleepingcomputer.com) 16
A new npm supply-chain attack has infected 36 packages with Rust-based infostealer malware called IronWorm. According to BleepingComputer, the malware "targets 86 environment variables (key-value pairs) and 20 credential files that may contain OpenAI, AWS, Anthropic, and npm credentials, vault configuration files, SSH keys, and Exodus cryptocurrency wallet files." From the report: According to researchers at supply-chain and devops company JFrog, IronWorm is written in Rust, hides behind an eBPF kernel rootkit, and communicates with the operator over the Tor network. The Rust-based malware self-propagates by using stolen credentials for publishing on npm; this includes secrets associated with npm's Trusted Publishing workflow. Once it compromises a developer or CI environment, it can publish trojanized versions of packages owned by the victim, which then infect additional developers and CI systems.
This behavior is conceptually similar to Shai Hulud, which had its code published on GitHub recently. Although JFrog researchers did not find a clear connection between IronWorm and Shai Hulud, they observed the same commit names in both supply-chain attacks. This opens the possibility that the new malware is an evolution of TeamPCP's payload, since IronWorm appears to be "a custom, carefully built implant from an operation with its own infrastructure."
[...] The company provides a list of all impacted package names and their versions in the report and recommends that developers upgrade to fixed releases, rotate their keys, and enable two-factor authentication (2FA) for all accounts. At the same time, Endor Labs and StepSecurity have spotted a very similar but distinct attack involving a JavaScript-based malware named binding.gyp, performing registry poisoning and GitHub Actions infection, unfolding during the same time-frame.
This behavior is conceptually similar to Shai Hulud, which had its code published on GitHub recently. Although JFrog researchers did not find a clear connection between IronWorm and Shai Hulud, they observed the same commit names in both supply-chain attacks. This opens the possibility that the new malware is an evolution of TeamPCP's payload, since IronWorm appears to be "a custom, carefully built implant from an operation with its own infrastructure."
[...] The company provides a list of all impacted package names and their versions in the report and recommends that developers upgrade to fixed releases, rotate their keys, and enable two-factor authentication (2FA) for all accounts. At the same time, Endor Labs and StepSecurity have spotted a very similar but distinct attack involving a JavaScript-based malware named binding.gyp, performing registry poisoning and GitHub Actions infection, unfolding during the same time-frame.
Including remote code, rise and repeat! (Score:2)
too bad you linked that garbage (Score:3)
The link we wanted was actually in that story, which is worthless by comparison
https://www.ox.security/blog/i... [www.ox.security]
Remotely downloaded code (Score:4, Insightful)
What, exactly, is the point or purpose of including code in your program that is downloaded from a third-party website every time you execute the program?
If you want to include a function or subroutine or library in your program, why wouldn't you just download it and use that?
"Lets drag in random code every time we run the program" is a huge security hole on its own and I genuinely don't understand why anyone would do that, or would even consider it as a worthwhile idea.
Re: (Score:1)
So, IDE platforms are pretty much the original targets for these supply chain attacks, or enterprise level networks... The framework supply chains , are they just unreported?
Re: (Score:2)
What would happen to modern devs if they lost all connectivity and their reference was just paper manuals?
Re:Remotely downloaded code (Score:5, Informative)
What, exactly, is the point or purpose of including code in your program that is downloaded from a third-party website every time you execute the program?
No, npm is literally the opposite of that.
If you want to include a function or subroutine or library in your program, why wouldn't you just download it and use that?
I run Drupal and it uses composer, which does basically the same thing. But then I want some javascript libraries that you can't get through composer repos itself, you need to get them from npm. So every time there's one of these npm exploit stories I say oh shit, some more shit I need to read. Luckily I'm only pulling in literally two packages from there. But I don't need to do this, I only do it specifically for the purpose of not having my site refer to some other site for those javascript libraries. That way, someone else changing their library doesn't automatically screw up my site, or more plausibly since I am not running any javascript on the server side, start back dooring other people who visit there. So npm is exactly the kind of thing you think people should be using, except with less oversight which is why we keep hearing about loads of compromised packages.
Re: (Score:2)
Another Drupal developer here, with some experience working with the Feds. Most government websites [drupal.org] as I am aware of are Drupal websites.
Writing as a developer, I can tell you we are not allowed any access to live systems, which is good. That allows us to work in our sandboxes and break things before we commit to the GIT repository branch we're developing to eventually be merged into the main branch and released one day. In other words, the only connectivity we're allowed is uploading to the git server.
In
Rust, the often touted solution to all things (Score:1)
Including creating new, I'm sure it's very stable, malware!
I bet... (Score:2)
everyone couldn't see this coming once AI/LLM-AI became a thing!
Now, you don't have to spend the month reading through code to find the 'oops' that someone goofed on... you can pay some amount to have an AI thingy do that 100x faster than a human and the thingy can find everything and (maybe) it'll let you know about all of them (50/50 chance of if the bugs it finds are only for your eyes, or if it hallucinates and sends the bugs to some hacking group).
Re: (Score:1)
These directory key pair attacks are old but, surprisingly effective. Who hasn't been pushed a bad .tar file on sourceforge way back when.....?
Re: (Score:2)
Those of us who don't depend on .tarballs, haven't been pushed a bad .tar file.
I'm Win10 LTSC on all my machines (and, MacOSX High Sierra on the Mac Mini a friend gave me).
Let the bear eat your friend (Score:2)
Until everyone else is doing that too, then you make it 168.
But no memory leaks! (Score:2)
Now that must count for something, no matter how bad this is.
Switch to Bun or pnpm (Score:1)
Within the npm ecosystem package managers have an option for packages called arbitrary lifecycle scripts
In the case of bun or pnpm they don't run these unless it's on a trusted list
https://bun.com/docs/guides/in... [bun.com]
https://github.com/pnpm/pnpm/p... [github.com]