cybersecurity researchers have identified an ongoing software supply chain attack targeting developers through the npm registry. The campaign, active as of late April 2024, involves at least 19 malicious packages designed to steal sensitive credentials, including cryptocurrency wallet keys and continuous integration secrets.

Supply chain security firm Socket discovered the operation, codenaming it SANDWORM_MODE. The company’s analysis revealed the packages function as a coordinated “worm-like” campaign, referencing a previous series of attacks known as “Shai-Hulud.” The malicious code is embedded within seemingly legitimate open-source libraries to avoid detection.

Mechanism of the Attack

The malicious packages employ sophisticated obfuscation techniques to hide their true intent from automated security scans. Once installed in a developer’s project, the code executes a multi-stage process. It first gathers system information before exfiltrating specific types of sensitive data from the victim’s environment.

Targeted data includes private SSH keys, configuration files for cloud services like AWS and Google Cloud, and environment variables containing API tokens. The packages are also configured to search for and steal seed phrases and private keys associated with cryptocurrency wallets, posing a direct financial threat.

Scope and Discovery

Researchers at Socket identified the cluster of packages by analyzing behavioral patterns and code similarities. The campaign’s infrastructure suggests a deliberate attempt to create a self-sustaining attack, where one compromised package could lead to further infections within dependent projects.

The npm registry administrators were notified upon discovery. The malicious packages have since been removed from the public repository to prevent further downloads. However, any projects that already incorporated these dependencies may remain compromised until they are updated.

Industry Response and Recommendations

The discovery has prompted renewed warnings from security professionals about the risks inherent in open-source software dependencies. Experts emphasize that attacks on widely used platforms like npm represent a significant threat to global software infrastructure.

Security analysts recommend that development teams implement stricter vetting procedures for third-party code. This includes using automated software composition analysis tools, regularly auditing dependency lists for known vulnerabilities, and enforcing policies that require code review for all new packages added to a project.

Organizations are advised to immediately review their projects for any of the identified malicious packages and rotate all potentially exposed credentials, including API tokens, cloud access keys, and cryptographic certificates. Monitoring network traffic for unauthorized data exfiltration attempts is also considered a critical step.

Looking Ahead

Supply chain security firms and registry maintainers are expected to increase scrutiny of new package submissions and updates in the wake of this campaign. The cybersecurity community anticipates further analysis will reveal the full extent of the compromise and potentially identify additional malicious packages linked to the same threat actor.

Official guidance for developers is likely to be updated by organizations like the open source Security Foundation and the Cybersecurity and Infrastructure Security Agency. These bodies often publish detailed advisories and mitigation steps following the disclosure of widespread supply chain threats.

Source: Socket Security Research