"The malware abuses npm's preinstall script hook, a script that executes during the package-installation process. That preinstall script is a file that is part of the npm package itself that also contains code that launches an operating system-specific single line of code to initiate the full infection chain."
"The malware that winds up being embedded then uses well-known web services to set up a command-and-control relay through which data is exfiltrated. That technique makes the traffic look legitimate so it is less likely to be blocked by network security platforms."
"software engineering teams that discover this malicious package in their software supply chain should rebuild their IT environment on the assumption the existing code bases and underlying platforms have been compromised."
Security researchers discovered the "ambar-src" malicious npm package, which mimicked the legitimate "ember-source" package and was downloaded approximately 50,000 times. The malware exploited npm's preinstall script hook to execute during installation, running an OS-specific hex-encoded command to initiate infection. The embedded malware established command-and-control relays through legitimate web services, disguising malicious traffic to bypass network security. Affected organizations should assume their code bases and platforms are compromised and rebuild their environments. Teams must implement full visibility across software supply chains to ensure only trusted packages are used in application development.
#npm-security #supply-chain-attacks #malware-detection-evasion #devsecops-best-practices #package-management-vulnerabilities
Read at DevOps.com
Unable to calculate read time
Collection
[
|
...
]