Growing risk around developers being prime targets of software supply chain assaults is alarmingly evident with the recent detection of malicious packages within the Rust programming language's crate registry. As reported by cybersecurity firm Phylum, several injurious libraries were uploaded between August 14 and 16, 2023. Notably, these libraries were published under the alias "amaperf".
The packages, which have since been eliminated from the registry, were identified as postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger. The specific objective of this malicious campaign is yet to be ascertained. However, the harmful programs were found to shield functionalities that captured the operating system information and relayed the collected data to a specific Telegram channel using the messaging platform's API.
Given the nature of these malicious intrusion techniques, one can hypothesize that the threat actor aimed to undermine as many developer environments as feasible to initiate unauthorized updates with escalated data extraction capabilities. Experts at Phylum expressed grave concerns about the vulnerability of developers given their access to highly valuable resources like SSH keys, production facilities, and invaluable company intellectual property.
Regrettably, supply chain attacks targeting crates.io are not unfamiliar occurrences. SentinelOne brought to light an attack campaign referred to as "CrateDepression" in May 2022, which employed typosquatting methods to pilfer sensitive information and illicitly download files.
In addition to the information about the Rust programming language's crate registry, Phylum also revealed a destructive npm package named "emails-helper”. This package set up a callback mechanism to extract machine information and trigger encrypted binaries to conventionally legit repositories. As per Phylum, "Data exfiltration is attempted via HTTP, and if this fails, the attacker reverts to exfiltrating data via DNS". The harmful package released penetration testing tools such as dnscat2, mettle, and Cobalt Strike Beacon.
It's essential to highlight that seemingly harmless actions like running npm install can trigger these harmful attack chains. Such instances make it even more crucial for those involved in software development to maintain extreme caution and conduct vigilant due diligence on an ongoing basis.
As we journey through the constantly evolving landscape of cybersecurity, we continue to bear witness to escalating threats as well as intricate mechanisms to combat these challenges. As a key player within this space, we urge you to stay informed and actively pursue every last thread of insight, advice and news on cybersecurity to protect your digital assets and maintain a secure operational environment.
At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.