Security researchers discovered that new malicious NPM packages target Amazon, Slack, Zillow, and Lyft code repositories and possibly stealing Linux and Unix password files. Experts also stated that they can open reverse shells back to the hackers. 

Malicious NPM Packages Steal Linux and Unix Password Files of Amazon, Slack, and More!
(Photo : Photo by Quinn Rooney/Getty Images)
The Amazon website is seen on December 5, 2017 in Dandenong, Australia. Amazon has ended months of speculation by launching its local website overnight. The online retail giant has started taking orders and shipping products from its 'fulfilment centre' in Dandenong South, offering massive discounts on millions of items across more than 20 categories including electronics, toys, clothing, beauty and accessories.

Also Read: LastPass Confirms Its Service Will Soon Require Subscription! Here Are The Best Alternative Password Managers

According to Bleeping Computer's latest report, this newly discovered flaw was first discovered by Alex Birsan, the security researcher who won bug bounties from 35 companies. The expert was able to utilize a new flaw in open-source development tools. 

On the other hand, IT Pro reported that the new malicious codes were found in JavaScript repositories. Because of this, hackers and other online attackers can easily acquire sensitive files from Unix and Linux systems. 

Sonotype, a cybersecurity firm, said that the NPM packages contain malicious dependency confusion codes and that these malicious packages target the commonly use components companies such as Amazon, Slack, Lyft, and Zillow. 

How the new NPM packages attack

The new malicious NPM packages also contain lyft-dataset-sdk, serverless-slack-app, zg-rentals, and amzn. Meanwhile, the dependency managers also use different packages, such as PyPI, RubyGems, and NPM, on the public repo rather than the company's internal packages when building the application. 

Malicious NPM Packages Steal Linux and Unix Password Files of Amazon, Slack, and More!
(Photo : Photo by Sean Gallup/Getty Images)
A worker prepares packages for delivery at an Amazon warehouse on September 4, 2014 in Brieselang, Germany. Germany is online retailer Amazon's second largest market after the USA. Amazon is currently in a standoff with several book publishers over sales conditions and prices for e-books, and hundreds of authors in the US and Europe have written letters in support of the publishers.

Security researchers also explained that the new dependency confusion flaw allows different online attackers and cybercriminals to inject their own malicious code into an internal application in the supply-chain attack. 

"I was starting to wonder when we were going to see a malicious actor take advantage of the current situation. Finally, we've spotted one," said Juan Aguirre, a Sonatype security researcher, via Bleeping Computer

"There is no scenario I can imagine where I'm going to submit a PoC for a bug bounty program that actually harms the organization. Taking their /etc/shadow file is definitely harmful," he added.  

Malicious NPM package's main target

Security experts said that the new malicious NPM packages' main packages are the companies' Linux profiles ".bash_history" files. Once the hackers acquire this data, they will send it to a remote host under their control. Cybercriminals are currently targeting it since it contains a list of all the commands you typed in the shell, including passwords passed as arguments or texts. You can click here for more info. 

For more news updates about new malicious codes used by different online attackers, always keep your tabs open here at TechTimes.  

Related Article: Hackers Use 'Gootloader' Along with SEO Tactics to Deploy Malware on Websites, Debuting 'Deoptimization'

This article is owned by TechTimes.

Written by: Giuliano de Leon.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion