In a new type of software supply chain attack aimed at open source projects, it has emerged that a threat actor can take hold of an out-of-date Amazon S3 bucket to serve rogue binaries without modifying the modules themselves.
“Malicious binary steals user IDs, passwords, local machine environment variables, and local hostnames, then extracts the stolen data to a hijacked bucket,” Checkmarx says researcher Guy Nachshon.
The attack was first observed in the case of npm packages being called bignumwhich, up to version 0.13.0, relied on an Amazon S3 bucket to download the built-in binary version of the addon named node-pre-gyp during installation.
“These binaries were published on a now-deprecated S3 bucket that has since been claimed by a malicious third party who is now serving the binary containing malware that extracts data from users’ computers,” according to a GitHub Advisor published on May 24, 2023.
An unknown threat actor is said to have taken the opportunity that the S3 bucket was once active to deliver malware when an unsuspecting user downloaded the intended package.
“If a package points to a bucket as its source, that pointer persists even after the bucket is deleted,” explains Nachshon. “This abnormality allowed the attacker to move the pointer towards the captured bucket.”
Reverse engineering of the malware sample has revealed that it is capable of looting user credentials and environment details, and sending information to the same hijacked basket.
Checkmarx said it found many packages using abandoned S3 buckets, making them vulnerable to new attack vectors. If anything, the developments are a sign that threat actors are constantly looking for ways to poison the software supply chain.
🔐 Mastering API Security: Understanding Your True Attack Surface
Find untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
“This new twist in the subdomain takeover space serves as a wake-up call to both developers and organizations,” said Nachshon. “Abandoned hosting buckets or obsolete subdomains aren’t just forgotten artifacts; in the wrong hands, they can be powerful weapons for data theft and tampering.”
The development also comes barely a week after Cyble excavated 160 malicious python packages estimated to have been downloaded more than 45,000 times and featuring the ability to extract login credentials and credit card details.