Attackers are exploiting a major weakness that has allowed them to access the NPM code repository with more than 100 credential-stealing packages since August, mostly undetected.
The discovery, presented Wednesday, from security firm Koi, draws attention to an NPM practice that allows installed packages to automatically extract and execute unvetted packages from untrusted domains. Koi said that a campaign he tracks as PhantomRaven has exploited NPM’s use of “Dynamic Remote Dependencies” to flood NPM with 126 malicious packages that have been downloaded more than 86,000 times. About 80 of those packages were still available as of Wednesday morning, Koi said.
a blind spot
“PhantomRaven demonstrates how sophisticated attackers are becoming. [better] “To exploit blind spots in traditional security tools,” wrote Koi’s Oren Yomtov. “Remote dynamic dependencies are not visible to static analysis.”
Remote dynamic dependencies provide greater flexibility in accessing dependencies – the code libraries that are required for many other packages to work. Typically, dependencies are visible to the developer who installs the package. They are typically downloaded from the trusted NPM infrastructure.
RDD works differently. Allows a package to download dependencies from untrusted websites, even those that connect over HTTP, which is not encrypted. PhantomRaven attackers took advantage of this leniency by including code in the 126 packages uploaded to NPM. The code downloads malicious dependencies from URLs, including http://packages.storeartifact.com/npm/unused-imports. Koi said these dependencies are “invisible” to developers and many security scanners. Instead, they show that the package contains “0 dependencies”. An NPM feature causes these invisible downloads to install automatically.
Compounding the weakness, dependencies are downloaded “new” from the attacking server each time a package is installed, rather than being cached, versioned, or static, as Koi explained:
