Researchers Uncover npm Package Delivering RAT Via Microsoft Executable
- 0 Followers
- 0 Following
- 0 Posts
Malicious Nuget Packages Found Delivering SeroXen RAT
Pretty sure it’s a bug in pycharm.
we’re working on a third party solution for this. Should have some updates that sandbox cargo builds shortly.
github.com/phylum-dev/birdcage
It’s a cross-platform sandbox that works on Linux via Landlock and macOS via Seatbelt. We’ve rolled this into our CLI (github.com/phylum-dev/cli) so you can do thinks like:
phylumFor example for npm, which currently uses the sandbox:
phylum npm installWe’re adding this to cargo to similarly sandbox crate installations. Would love feedback and thoughts on our sandbox!
I’m one of the co-founders @ Phylum. We have a history of reporting these attacks/malware to the appropriate organizations. We work closely with PyPI, NPM, Github, and others - and have reported thousands of malicious packages in the last few years. If you were following GIthub’s security recent advisory, you can see a shout-out for some of our previous work. There are also public thanks from the Crates.io team for our efforts over on HN.
I say all this to assure you we didn’t write or release this malware. It just wouldn’t make sense, especially when these open-source ecosystems contain so much malware for us to hunt and report on already. Though I get the logic, we have seen other security companies do this - and called them out for it.
Our platform is free for developers and small teams (heck, I’ll give anyone who asks for it a free pro account if you really need it). We’ve open-sourced our CLI and sandbox that limits access to network/disk/env during package installation. We’re genuinely - really - trying to help make these ecosystems better.
Security alert: social engineering campaign targets technology industry employees
GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning for our customers to prevent exploitation by this threat actor.
blog.phylum.io/sophisticated-highly-targeted-atta…
tl;dr several packages were recently published to npm that appear to be subtle command and control. Behaviors of the infrastructure seem to mimic those recently identified by Phylum as being nation state activity from North Korea.
Sophisticated, Highly-Targeted Attacks Continue to Plague npm
⚠️Update Aug 16, 2023: This appears to be an ongoing campaign. The actor recently published another package hreport-preview with slight modifications. Namely pulling reverse shells from https://img.murphysec-nb[.]love ⚠️Update Aug 17-19, 2023: This actor continues to publish packages, most recently crcloud-layout, urs-remote, essc-crypto, mh-web-hardware, and mall-front-babel-directive. The IOCs
I screwed up submission
Sophisticated, Highly-Targeted Attacks Continue to Plague npm
⚠️Update Aug 16, 2023: This appears to be an ongoing campaign. The actor recently published another package hreport-preview with slight modifications. Namely pulling reverse shells from https://img.murphysec-nb[.]love ⚠️Update Aug 17-19, 2023: This actor continues to publish packages, most recently crcloud-layout, urs-remote, essc-crypto, mh-web-hardware, and mall-front-babel-directive. The IOCs
Sophisticated, Highly-Targeted Attacks Continue to Plague npm
Targeted npm Malware Attempts to Steal Company Source Code and Secrets
Slackware was my first Linux distro