Malicious NPM packages target German companies in supply chain attack
Cybersecurity researchers have discovered a number of malicious packages in the NPM registry specifically targeting a number of high-profile Germany-based companies to carry out supply chain attacks.
“Compared to most malware found in the NPM repository, this payload looks particularly dangerous: a very sophisticated and obfuscated piece of malware that acts as a backdoor and allows the attacker to take full control of the infected machine “said researchers at JFrog. mentioned in a new report.
The DevOps firm said evidence points to either the work of a sophisticated threat actor or a “very aggressive” penetration test.
All of the malicious packages, most of which have since been removed from the repository, were attributed to four “maintainers” – bertelsmannnpm, boschnodemodules, stihlnodemodules and dbschenkernpm – indicating an attempt to impersonate legitimate companies such as Bertelsmann, Bosch , Stihl and DB. Schenker.
Some of the package names are said to be very specific, raising the possibility that the adversary managed to identify libraries hosted in internal company repositories in an attempt to stage a dependency confusion attack.
The conclusions are based on a report from Snyk late last month which detailed one of the offending packages, “gxm-reference-web-auth-server”, noting that the malware targets an unknown company that has the same package in its private registry.
“The attacker(s) likely had information about the existence of such a package in the company’s private registry,” Snyk’s security research team said.
“The attack is highly targeted and relies on hard-to-obtain insider information,” the researchers said. But on the other hand, “the usernames created in the NPM registry did not attempt to hide the targeted company.”