StepSecurity is reporting that a number of npm packages in the @Redhat-cloud-services scope include malware that runs automatically on every npm install: The payload is a multi-stage credential harvester that sweeps GitHub Actions secrets along with AWS, GCP, Azure, Kubernetes, HashiCorp Vault, npm, and CircleCI tokens, and it is purpose-built to evade detection, including an explicit attempt to bypass StepSecurity Harden-Runner. StepSecurity analyzed @Redhat-cloud-services/[email protected] in full. Its index.js, executed at install time, is 4.2 MB, a file that should weigh a few kilobytes, with the real payload buried under three separate layers of obfuscation. The malware is also a self-propagating worm: using stolen npm tokens and npm's bypass_2fa parameter, it republishes backdoored versions of other packages on its own, even against accounts protected by two-factor authentication, so every infected machine can seed the next wave with no attacker involvement. All affecte
Source: https://lwn.net/Articles/1075742/
Aggregated via Linux News
Source: https://lwn.net/Articles/1075742/
Aggregated via Linux News
