A previously removed malicious package is still accessible via jsdelivr and causes phishing attacks
The main news
CloudGuard Spectral has discovered a malicious package on NPM that executes a phishing attack to obtain user credentials.
To do this, the package relies on a file from a malicious package found and removed from NPM, which is still available through a popular NPM CDN service – ‘jsdelivr’.
Once detected, NPM and jsdelivr alerted us about the malicious package and the malicious flow.
NPM and jsdeliver
jsdelivr is a free, open source content delivery network (CDN). It provides a fast and reliable way to host and distribute files, making it easy for developers to incorporate external libraries and resources into their web projects. jsdelivr operates as a global CDN and has multiple edge servers distributed around the world. When developers host a file on jsdelivr in their website, the file comes from a server closer to the user’s environment, reducing latency and improving performance. jsdelivr supports versioning of hosted files, allowing developers to filter specific library versions. This ensures that projects continue to work reliably even if the library makes updates or changes over time. It also provides a fallback mechanism if a particular version is no longer available.
One of the key benefits of jsdelivr is live file links: you can use NPM to install the package and link it locally, directly to a file hosted on the jsdelivr CDN. But as we see today, even legitimate services like jsdelivr CDN can be misused for malicious purposes. Discover Reactenz.
The entry point for this study is reactenz, a package that our AI models found to be malicious. An empty description page and zero dependent packages indicate that this package should be found and installed based on its name (for malicious people, perhaps using name crushing techniques).
A simple GitHub search has tried to look up the popular package reaction-enzyme package, commonly referred to as ‘ReactEnzyme’ on GitHub code snippets.
The package included a hidden index.js, which, following its obfuscation, turned out to be a simple but dubious client-side helper package. Once installed, it downloads a .txt file from the NPM CDN service (jsdelivr), opens it as HTML, and adds it to the window in use.
The mentioned .txt file is modified, and following ‘HTML decoding’ and ‘beautifying’ it becomes known phishing HTML code. Tricking users into resetting their Microsoft passwords and stealing their updated credentials once they do.
So far this story seems familiar; Threat actors are stealing user credentials through embedded phishing attacks. The fun part begins when we show you where the malicious .txt file came from; Package ‘standforusz’, which files were being served by CDN service jsdelivr.com.
A quick search revealed that this package was flagged as malicious on NPM a month ago, but the files are still accessible via the CDN service. It allows attackers to continue to reuse their malicious code for new campaigns even after removing their malicious package from NPM.
This finding was disturbing for two main reasons:
- While NPM goes to great lengths to ensure that malicious packages are inaccessible once they are discovered (publishing a new ‘0.0.1-security’ version that overrides the namespace on NPM and its mirrors, making previous versions inaccessible), we see that malicious code is still accessible via CDN services long after it is discovered.
- Since most existing security tools monitor web downloads such as malicious code, threat actors can serve their malicious content through a CDN service, allowing them to easily inject code (as many legitimate packages use jsdelivr to fetch the content of legitimate NPM packages). This makes these types of malicious packages invisible to security tools.
To make matters worse, our analysis revealed another example where malicious resources can be accessed via jsdelivr long after they have been removed from NPM – package markedjs; It was identified as malicious a year ago, but we can still access the malicious components using the jsdelivr CDN service.
We reported the potentially infringing and malicious package to NPM and soon the package was removed. We have also reported the presence of malicious files on their service to jsdelivr.
An increasing risk
It’s important to emphasize that CDN hacking is more disruptive than the malicious package itself, allowing threat actors to reuse their malicious code, share best practices, and evade common security monitoring tools used by third-party entities. Re-emphasizes the danger of open source components; No one guarantees that the open sources we use are safe, and it is our responsibility to check them. Although the platform seems to be working hard to prevent such attacks (as in the case of Thin NPM), users should be aware that the exploits are still there, and the risk is constantly there. In this case, it was due to a helper service (CDN), but in general, there are no bulletproof open source services. Supply chain attacks are on the rise, so it’s important to make sure you’re careful to double-check every piece of software you use, especially software you don’t create yourself. As a society, we need to make it easy to do the right things from a security perspective to create a safe development process. As part of this effort, we are constantly scanning. PPI And NPM after malicious packages to Prevent such supply chain attacks– Making sure you’re the first to know about new malicious actors.