Multiple malicious NPM packages have been disclosed as used in an ongoing campaign named “LofyLife” to infect Discord users with two pieces of malware that siphon their login and payment card information from compromised systems, once again highlighting the supply chain threats associated with using code from open source repositories without proper auditing. These attacks are also becoming more lucrative as they provide more reach for less effort than targeting an individual company.
In a related development, it has also emerged that the metadata that developers look at when deciding whether to use an open source project on GitHub can be easily forged through falsified code commits that alter the commit author and timestamp information or add fabricated contributors, giving ill-wished actors a way to gain credibility among users and trick them into downloading malicious code.
Specifically, Checkmarx researchers discovered that one could tamper with commit metadata so that a repository would appear to be older than it actually is, or that reputable contributors have been involved in its maintenance. The idea is to push poisoned commits to a GitHub repository by spoofing the identity of a trusted contributor. What makes this tactic worrisome is the fact that the user being spoofed does not get any notification about their account being added as a contributor to another project.
“To make their project look reliable, attackers can use this technique once or multiple times and populate their repository’s contributors section with known reliable contributors, which in turn, makes the project look trustworthy,” the researchers said.
In yet another instance disclosed by Sonatype, multiple typosquatted Python packages pushed to PyPi by an Italian developer were found to contain ransomware scripts (the decryption key, however, could be obtained without having to pay a ransom) as part of a “project that I developed for fun.” Although this is not an outright case of malware, the experiment falls under a gray area of planting malicious code in widely used software repositories.
The threat is part of a recurring theme, and it’s just one of a seemingly endless stream of malicious packages specifically tailored to target the developer community. Recognizing that development environments are convenient targets for attackers trying to organize supply chain attacks, it’s not surprising malware operators are increasingly taking advantage of the open source nature of these platforms and repositories — which support a wide swath of the world’s software — and frequently uploading malicious or fake packages to compromise developer systems and steal credentials and intellectual property.