Saturday, April 13, 2024
HomeSECURITYAbandoned AWS S3 repositories distribute malicious code via npm packages

Abandoned AWS S3 repositories distribute malicious code via npm packages

-


Threat from the Cloud: Abandoned AWS S3 Stores Spread Malicious Code via npm Packages

If you forget your S3 bucket, it can become a source of malware.

Cybercriminals have found a way to inject their malicious code into packages npmwithout changing the source code. They used S3 buckets AWSwhich were abandoned by their owners, and replaced the binaries necessary for the packages to work.

Attack was found company specialists Checkmarxwho studied the compromise case of the “bignum” package. This package distributed a malicious binary that stole users’ personal data and sent it to a captured S3 bucket.

Checkmarx has also found dozens of other npm packages that are affected by the same threat. This indicates the growing interest of cybercriminals in the software supply chain, which allows them to quickly reach a large number of potential victims.

AWS S3 buckets are cloud storages that can be used for website hosting or data backup. Buckets are available at unique URLs, but their owners may forget about the storage or stop using it. Then a cybercriminal can take over the bucket and change its contents.

The “bignum” package used the node-gyp tool to download a binary file from an S3 bucket. When the bucket became unavailable, the attacker hijacked it and placed their malicious binary there. And when users downloaded or reinstalled the bignum package, they also downloaded the attacker’s file.

The malicious binary, written in C++, worked just like the original one, but also collected user credentials and sent them to a compromised S3 bucket.

The attack shows how important it is to keep your S3 buckets safe and not leave them unattended. It is also recommended to check the source of binaries that are downloaded from npm packages. npm users can use special tools like npm audit or snyk to find vulnerabilities in their dependencies.



Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular