A new portion of malicious NPM packages created for targeted attacks on the German companies Bertelsmann, Bosch, Stihl and DB Schenker have been uncovered. The attack uses the dependency mixing method, which manipulates the intersection of dependency names in public and internal repositories. In publicly available applications, attackers find traces of accessing internal NPM packages downloaded from corporate repositories, whereupon they place packages with the same names and newer version numbers in the public NPM repository. If, when building, internal libraries are not explicitly linked in the settings to their repository, the npm package manager considers the public repository to be a higher priority and downloads the package prepared by the attacker.
Unlike previously recorded attempts to spoof internal packages, usually undertaken by security researchers in order to receive rewards for identifying vulnerabilities in the products of large companies, the detected packages do not contain testing notifications and include obfuscated working malicious code that downloads and launches a backdoor for remote control of the affected system.
The total list of packages involved in the attack is not reported, as an example, only the packages gxm-reference-web-auth-server, ldtzstxwzpntxqn and lznfjbhurpjsqmr are mentioned, which were placed under the boschnodemodules account in the NPM repository with newer version numbers 0.5.70 and 4.0. 49 than the original internal packages. It is not yet clear how the attackers managed to find out the names and versions of internal libraries, which are not mentioned in open repositories. It is assumed that the information was obtained as a result of internal information leaks. Researchers who monitor the publication of new packages reported to the NPM administration that they detected malicious packages 4 hours after they were published.
Addendum: Code White stated that the attack was carried out by its employee as part of an agreed-upon simulation of an attack on customer infrastructure. During the experiment, the actions of real intruders were simulated to test the effectiveness of the implemented protection measures.