A targeted attack on the npm registry has raised significant concerns in the software development community, affecting more than 40 packages and allowing the injection of malicious scripts. According to cybersecurity researchers, the attack focuses on compromised versions that contain a function that downloads and modifies packages, then injects a local script called ‘bundle.js’. This script is designed to download and execute TruffleHog, a legitimate secret scanning tool, with the aim of searching for tokens and credentials on developers’ machines.
Audit the environments
The attack is capable of executing on both Windows and Linux systems, which increases the severity of the situation. Among the elements that TruffleHog searches for are sensitive credentials such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. According to the security firm Socket, the script also validates npm tokens and can interact with GitHub APIs, facilitating the exfiltration of data to an external server controlled by the attackers.
The developer community has been urged to audit their environments and rotate npm tokens, as well as other exposed secrets, if affected packages are found. Additionally, malicious emails have been reported coming from a fake domain attempting to steal GitHub credentials. These messages warn of a supposed breach of the crates.io infrastructure and suggest that users click on links to rotate their login information.
The team at the Rust Security Response Working Group has confirmed that these emails are fraudulent and come from a domain not controlled by the Rust Foundation. Measures are being taken to monitor suspicious activity on crates.io and work is underway to eliminate the phishing domain.