Images weaponised in latest supply chain attack

2 months ago 35

Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)

A series of malicious packages disguised as legitimate software have been discovered in the npm registry by cybersecurity firm Phylum.

The packages – identified on 13 July 2024 – contained hidden command and control functionality embedded within image files, executed during the installation process.

Phylum researchers uncovered two packages in this campaign, with one named “img-aws-s3-object-multipart-copy” mimicking a legitimate GitHub library. The malicious version included modifications to execute a new script called “loadformat.js” upon installation.

The loadformat.js file, while appearing innocuous at first glance, contained sophisticated code designed to extract and execute hidden payloads from image files bundled with the package. Phylum’s analysis revealed that one of these images, disguised as a Microsoft logo, contained malicious code capable of establishing a connection with a command and control server.

“Hiding payloads in images is not a new concept,” Phylum stated in their report. “However, when an attacker tries to hide their payloads so deeply, we can only assume they are sophisticated and operating with clear malicious intent.”

The extracted payload included functionality to register infected machines with the attacker’s server, periodically fetch and execute commands, and transmit results back to the attacker. The command and control server was identified as operating from the IP address 85.208.108.29.

Of particular concern is the length of time these malicious packages remained available on the npm registry.

“The malicious packages remained available on npm for nearly two days,” Phylum noted. “This is worrying as it implies that most systems are unable to detect and promptly report on these packages, leaving developers vulnerable to attack for longer periods of time.”

This incident highlights the growing sophistication of supply chain attacks targeting open-source ecosystems. Phylum emphasises the critical need for developers and security organisations to exercise extreme caution when incorporating open-source libraries into their projects.

Developers are urged to have increased vigilance and improve their use of detection capabilities to combat these increasingly sophisticated attacks on software supply chains.

(Photo by Jan Antonin Kolar)

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: coding, cyber security, cybersecurity, development, hacking, infosec, npm, phylum, programming, security, supply chain