Crypto wallets targeted in malicious npm campaign

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs (RL).

This week: RL researchers have identified another npm package that uses malicious patching of local software to hijack crypto transfers. Also: A flaw in ESET antivirus software was exploited by ToddyCat to spread malware. 

This Week’s Top Story

Crypto wallets targeted in malicious npm campaign

RL has detected a malicious npm package, pdf-to-office, posing as a legitimate library for converting PDF format files to Microsoft Office documents. When executed on a victim’s machine, the package injects malicious code into legitimate, locally installed crypto wallet software products Atomic Wallet and Exodus, while also overwriting existing, non-malicious files in the process.

The attack chain also prevents victims from trying to send crypto funds to the correct wallet of their choosing, because the code is designed to swap out the intended address of any transfers with the malicious actor’s wallet address. 

This incident is just one of many spotted recently by RL threat researchers in which malicious actors are exploiting open-source software (OSS) to hijack legitimate crypto packages and steal assets such as Web3 wallets and crypto funds.

This also isn’t the only malicious campaign that employed the technique of uploading packages to popular OSS repositories that are designed to apply malicious “patches” to local versions of legitimate libraries, with the hopes of installing malicious code in an otherwise trusted local library that will escape notice. RL researchers spotted this same tactic last month in a campaign that targeted the legitimate package ethers.

Researchers spotted this incident using RL Spectra Assure for software supply chain security, the enterprise solution used to vet the software you build or buy. 

(RL Blog)

This Week’s Headlines

Flaw in ESET security software used to spread malware

Researchers at Kaspersky have discovered that suspected nation state-backed hackers could be exploiting a vulnerability in software belonging to cybersecurity firm ESET to secretly infect targeted devices with malware. The vulnerability (CVE-2024-11859) allows attackers to plant a malicious dynamic-link library (DLL) and execute it through ESET’s antivirus software. The malicious code runs in the background, making it difficult to detect since the code was designed to bypass system alerts. ESET confirmed the flaw and released a fix, and is now urging users of its antivirus scanner to update the software in order to prevent potential exploitation by attackers. However, ESET said it had not seen the flaw exploited in the wild. (The Record)

NK hackers deploy malicious npm packages

The North Korea-backed Lazarus Group has continued its malicious campaign dubbed “Contagious Interview,” in which the threat actors are now publishing more malicious packages to npm that deliver the BeaverTrail malware, as well as a new remote access trojan (RAT) loader. Researchers at Socket believe these latest malware samples “employ hexadecimal string encoding to evade automated detection systems and manual code audits,” showcasing that Lazarus Group is switching up their obfuscation techniques. All 11 packages were collectively downloaded more than 5,600 times before npm removed them from the repository. Researchers assert that the goal of Lazarus’s Contagious Interview operation is to infiltrate developer systems using the disguise of a job interview process. The effort involves stealing developers’ data, financial assets, and maintaining long-term access to systems. (The Hacker News)

AI copilots are wrecking code security and leaking secrets

A new study by GitGuardian found that GitHub Copilot-enabled software repositories are 40% more likely to have exposed secrets, such as API keys, passwords or tokens, when compared to standard repos. Hackers can abuse these secrets in order to wreak havoc on software supply chains dependent on the leaked software credentials. The report also found that there has been a 25% increase in leaked secrets year-over-year, citing 23.8 million new secrets detected on GitHub in 2024 alone. Additionally, GitGuardian believes that hard-coded passwords, database credentials, and custom authentication tokens – which are nearly impossible to detect with conventional security tooling – now represent more than half of all detected leaks. (CSO)

Software supply chain risks persist — along with tool overload and limited visibility

A global survey of 1,402 software development, cybersecurity, and IT operations professionals found that 71% of organizations still permit developers to download code packages directly from the internet, presenting a major software supply chain security risk. Also, less than half of the respondents (43%) conduct security scans at both the source code and binary levels, and 40% admit to lacking full transparency regarding the origin of their deployed software. Professionals surveyed were also asked about their organizations’ security tooling, which yielded telling insights about the state of security tool sprawl, as well as alert fatigue and increasing amounts of false positives showing up in security scans. (SC Media)

Worried about threats to your development pipeline? RL Spectra Assure provides enterprise software organizations with early and actionable feedback on software supply chain risks like malware, tampering, and exposed secrets — without slowing down development.

The Best of RL

Podcast | ConversingLabs: AppSec Girl Power

RL chatted with the application security (AppSec) leader Tanya Janca about how her career embodies AppSec Girl Power — from her start as a software developer, up to now as a prominent voice in secure coding. (Watch It Here)

Webinar | The Developer’s Guide to Supply Chain Security

Tuesday, April 15 at 11am ET

Join RL’s Kadi (Grigg) McKean as she talks with developer champion Steve Poole and cyber strategist Andy Lewis to break down the fundamentals of developer-centric software supply chain security. The team will explore its unique challenges, and discuss actionable strategies for safeguarding your development process. (Save Your Seat)

Webinar | Research Roundup: Poisoned Pickles and Bad Patches

Thursday, April 17 at 11am ET

Join RL threat researchers Karlo Zanki and Lucija Valentić for a look at recent malicious software supply chain campaigns targeting cryptocurrency and AI ecosystems — and what they mean for software and AI supply chain security. (Save Your Seat)

For more insights on software supply chain security, see the RL Blog.