Supply Chain Attack Discovered in @0xengine/xmlrpc Package
/ 3 min read
Quick take - The Checkmarx Research team has identified a significant supply chain attack involving the @0xengine/xmlrpc package, which, after starting as a legitimate XML-RPC implementation, incorporated malicious code in later versions to steal sensitive data and mine cryptocurrency, affecting 68 compromised systems and highlighting the need for enhanced security measures in open-source software.
Fast Facts
- A significant supply chain attack was discovered involving the @0xengine/xmlrpc package, which transitioned from a legitimate XML-RPC implementation to incorporating malicious code from October 2023 to November 2024.
- The malware targets sensitive data, stealing SSH keys and bash history every 12 hours, while also mining Monero cryptocurrency using XMRig software on infected Linux systems.
- The attack was distributed through direct installation from the Node Package Manager (NPM) and as a hidden dependency in a GitHub repository called “yawpp,” which poses as a WordPress posting tool.
- Evasion techniques are employed by the malware, including monitoring for detection tools and initiating mining activities only after user inactivity, while disguising itself as a legitimate service for persistence.
- The campaign underscores the need for thorough vetting of open-source projects, ongoing monitoring of package updates, and regular audits of dependencies to enhance security measures.
Significant Supply Chain Attack Uncovered
The Checkmarx Research team has uncovered a significant supply chain attack involving the package @0xengine/xmlrpc. This package has been active from October 2023 to November 2024, initially functioning as a legitimate XML-RPC implementation. However, it began incorporating malicious code in later versions, receiving 16 updates throughout its active period. The most recent version was published on October 4, 2024.
Malware Functionality
The malware associated with this attack is designed to steal sensitive data, targeting SSH keys and bash history every 12 hours. Additionally, it mines cryptocurrency on infected systems, with data exfiltration occurring through platforms such as Dropbox and file.io.
The attack utilized two primary distribution methods: direct installation from the Node Package Manager (NPM) and as a hidden dependency within a GitHub repository named “yawpp,” which markets itself as a WordPress posting tool. This repository requires @0xengine/xmlrpc as a dependency, leading to the inadvertent installation of the malicious package.
Attack Mechanism
The multi-stage approach of the attack combines cryptocurrency mining with data exfiltration. The malware activates when users execute commands with specific flags or run scripts from the yawpp tool. Once activated, it collects system information and deploys a cryptocurrency mining component, primarily targeting Linux systems. The mining operation utilizes XMRig software to mine Monero cryptocurrency, with rewards directed to a specific wallet address.
At the time of investigation, 68 compromised systems were observed, actively mining cryptocurrency for the attacker. Evasion techniques are employed by the malware, which monitors for detection tools and only initiates mining activities after a period of user inactivity. To ensure persistence, the malware disguises itself as a legitimate session authentication service and is configured to start automatically with the system, systematically collecting sensitive data every 12 hours.
Recommendations and Ongoing Monitoring
This campaign highlights the crucial importance of thorough vetting of open-source projects and ongoing monitoring of package updates. Developers and organizations are urged to implement robust security measures, with regular audits of dependencies recommended to mitigate risks. Checkmarx is committed to continuously monitoring suspicious activities and alerting customers to potential threats within the open-source software ecosystem. Specific indicators of compromise (IOCs) related to the attack have been identified, including URLs for downloading malicious components and the wallet address used for cryptocurrency mining.
Original Source: Read the Full Article Here
