Researchers have detected a new package backfill attack method that targets well-known Amazon Web Services (AWS) packages. They have identified two packages being malicious versions of original AWS packages actively used in attacks.
The attack
The attackers were found scanning AWS projects for dependencies not registered in the public npmjs registry and using their names to upload the unregistered malicious packages. - Of the two malicious packages detected, the first package is named hl7.fhir.r3.core and includes a package.json file with no actual malicious content. This package may be uploaded as a test by the malicious actor.
- The second is @aws-cdk-example-dynamic-web-config/shared containing malicious code to steal user details such as OS, hostname, and env variables.
- Besides, other information, such as CPU architecture, total available memory, total free memory, network interfaces with IP addresses, netmask, and MAC address, are collected.
The back story
The attackers implement a name takeover technique that uses the name of the unused, original package and published that package to npm with reconnaissance code.
- Around 13 months ago, the package hl7.fhir.r3.core was officially referenced by AWS as an open-source package. Similarly, the package named @aws-cdk-example-dynamic-web-config/shared was officially published by AWS in January 2022.
- In due course, these packages were removed by the original authors for unknown reasons.
- However, the attackers found unregistered package names referenced from other AWS projects by finding packages that used to be a dependency of other projects and leveraged them to populate new malicious packages with the same name.
Protection
Experts have suggested various ways to prevent such name takeovers by using a checksum-based lockfile. Further, it is recommended to use verified package sources to avoid malicious packages.