Many infected GitHub repos, npm packages & other sources on network

xerxes_ · 2024-03-10 21:57:24

Originally I wanted to post this in section "Announcements, Package & Security Advisories", but somehow I can't, so I post it here as a warning for maintainers and other people: https://apiiro.com/blog/malicious-code- … on-attack/

Last edited by xerxes_ (2024-03-22 17:44:06)

mpan · 2024-03-11 09:56:33

Thanks! I posted the link previous Saturday on #archlinux-offtopic, so hopefully some got the warning.

For concerned bystanders: this is not a direct risk to existing Arch Linux packages. In general you may sleep well.

The danger appears while creating new packages, because a maintainer may fall victim of social engineering and use a wrong Git repository address. This is something to watch for. Also upstream authors may become targets and introduce malicious code through Git submodules.

dogknowsnx · 2024-03-11 13:00:44

One more reason to stay away from the usual aur helper suspects...

mpan · 2024-03-11 19:45:47

Using AUR or AUR helpers isn’t making this threat worse than it is for official packages. In the worst case they’re the same:

A malicious upstream repo being used: both official and AUR maintainers are equally affected.
A malicious submodule being used by upstream: the user can’t notice it in normal usage in both official packages and AUR PKGBUILDs.

In the expected case at least some AUR users are going to check the PKGBUILD. In March 2024 all but one of listed AUR helpers support review. Nobody reviews PKGBUILDs of official packages while running `pacman -S…`. Clearly AUR and AUR helpers are, regarding this particular threat, coming out as better than the official repos. The scale of this difference and whether it’s notable is another story.

Last edited by mpan (2024-03-11 19:46:50)

xerxes_ · 2024-03-22 17:39:52

Over 800 npm Packages Found with Discrepancies, 18 Exploitable to 'Manifest Confusion':
https://thehackernews.com/2024/03/over- … -with.html

The problem stems from the fact that the npm registry does not validate whether the manifest file contained in the tarball (package.json) matches the manifest data provided to the npm server during the publishing process via an HTTP PUT request to the package URI endpoint.

xerxes_ · 2024-03-28 20:52:36

With thousands of packages available, the repository is an attractive target for threat actors, who often upload typosquatted or fake packages to compromise software developers and potential supply-chain attacks.
(...)the list of malicious packages is over 500 and were deployed in two stages. The researchers say that each package originated from unique maintainer accounts with distinct names and emails.

https://www.bleepingcomputer.com/news/s … -campaign/

xerxes_ · 2024-04-14 19:36:10

Manipulating projects popularity on GitHub by cyber-criminals to infect developers wanting to use them:
https://checkmarx.com/blog/new-techniqu … in-attack/
https://medium.com/checkmarx-security/t … 42f5913fb7
https://medium.com/checkmarx-security/h … ef2ce8b822
This is also some kind of attack on open source - on young people having energy and will to do something useful for world... and for themselves.

Last edited by xerxes_ (2024-04-14 19:42:49)

Arch Linux

#1 2024-03-10 21:57:24

Many infected GitHub repos, npm packages & other sources on network

#2 2024-03-11 09:56:33

Re: Many infected GitHub repos, npm packages & other sources on network

#3 2024-03-11 13:00:44

Re: Many infected GitHub repos, npm packages & other sources on network

#4 2024-03-11 19:45:47

Re: Many infected GitHub repos, npm packages & other sources on network

#5 2024-03-22 17:39:52

Re: Many infected GitHub repos, npm packages & other sources on network

#6 2024-03-28 20:52:36

Re: Many infected GitHub repos, npm packages & other sources on network

#7 2024-04-14 19:36:10

Re: Many infected GitHub repos, npm packages & other sources on network

Board footer