Unauthorized Takeover of Npm Package Leads to Data and Cryptocurrency Theft through Artificial Intelligence-Driven Malware
In a concerning development for the tech community, a series of attacks have been targeting private organizational repositories on GitHub. The malicious activities, which started on August 26, have been linked to the release of version 21.5.0 of Nx, an open-source build platform widely used by developers for automating and streamlining code testing, building, and deployment workflows.
The attackers exploited the local AI command-line interface tools within the compromised Nx versions, infecting not just the initial Nx repository, but seven other versions over the subsequent hours and day. The malware, designed to steal cryptocurrencies and key developer data, changed the user's shell configuration files to ensure the developer's machine would reboot every time a new terminal session started.
Once collected, the stolen information was encoded and saved into a single file. The targets of the script included GitHub and npm tokens, SSH keys, environment variable secrets, and cryptocurrency wallet data. To further escalate the attack, the malicious updates intended to automatically create a new public repository under the victim's own account for storing the stolen data.
The entity responsible for the second wave of attacks, expanding from the Nx credential leaks, has been identified as NPM. A threat actor released malicious updates on the npm package repository for components of a tool popular among developers. Attackers are renaming private repositories to a specific pattern and converting them to public access. They are also forking these repositories into compromised user accounts.
These attacks mark a "new frontier in supply chain attacks," as they harness developer-facing AI CLI tools. However, there is some good news. StepSecurity has provided a comprehensive remediation plan for users, and affected organizations are recommended to make exposed repositories private again, disconnect affected users, revoke access tokens, and delete forked repositories containing sensitive data.
To check if your organization has been affected, users can use the provided GitHub query. It is crucial for developers and organizations to remain vigilant and proactive in securing their repositories to prevent such attacks in the future.
