Full Report
In November 2024, supply chain attacks featured two key trends: attackers’ persistent use of “legitimate-first” package strategies and creative approaches like exploiting official documentation. Cryptocurrency remained the primary target through both credential theft and mining operations.Let’s delve into some of the most striking events of November:Dozens of Machines Infected: Year-Long NPM Supply Chain Attack Combines Crypto Mining and Data TheftA malicious NPM package, masquerading as a legitimate XML-RPC implementation, operated for over a year — stealing data and mining cryptocurrency. Dozens of systems were affected. (Link to report).xml-rpc attack flowMalicious NPM Package Exploits React Native Documentation ExampleAn attacker published a malicious NPM package that mirrors an example from React Native’s official documentation, in an attempt to trick developers following the official guide. This highlights the need for careful package verification even when following official guides. (Link to report).From React Native’s official documentationMalicious npm package mirroring example from React Native’s official documentationFalling StarsTwo years after the discovery of StarJacking, an analysis of 21 package repositories reveals improved security measures against this threat — though the risk still persists in some repositories. (Link to report).Example of PyPi ecosystem process — adding verification of the package metadata.“aiocpa” Python Package Transforms From Legitimate Package to Crypto ThiefIn November 2024, PyPI published an advisory about the aiocpa package, which was compromised when versions 0.1.13 and 0.1.14 introduced obfuscated malware designed to steal cryptocurrency credentials via Telegram. The attack was notable for its patience — the attacker maintained a legitimate package for months before adding malware, while keeping the GitHub repository clean. With thousands of downloads in its final month, aiocpa joins a growing trend where attackers establish legitimate packages before weaponizing them, in most cases to target cryptocurrency assets.Our team will continue to hunt, squash attacks, and remove malicious packages in our effort to keep the open-source ecosystem safe.I encourage you to stay up to date with the latest trends and tactics in software supply chain security by tuning into our future posts and learning how to defend against potential threats.Stay tuned…Checkmarx Supply Chain Security,Working to Keep the Open Source Ecosystem SafeNovember 2024 in Software Supply Chain Security was originally published in Checkmarx Zero on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Incident Report: November 2024 Software Supply Chain Attacks
## Executive Summary
During November 2024, the software supply chain landscape was marked by sophisticated attacks focusing primarily on cryptocurrency theft. Key incidents involved malicious NPM packages operating for long durations (one over a year) and attackers leveraging tactic like mirroring official documentation examples to compromise developers during standard development processes. The impact spread across multiple ecosystems, necessitating vigilant package verification across the industry.
## Incident Details
- **Discovery Date:** Ongoing analysis across November 2024 (Specific discovery dates for individual packages noted in events below).
- **Incident Date:** Primarily occurring throughout November 2024, with some threats persisting for over a year.
- **Affected Organization:** Multiple developers and organizations integrating compromised packages (e.g., dozens of machines infected in the NPM case).
- **Sector:** Software Development/Technology (Focus on dependencies and open-source ecosystems).
- **Geography:** Global (Affecting public repositories like NPM and PyPI).
## Timeline of Events
### Initial Access
- **Date/Time:** Varies (One NPM package active for over a year).
- **Vector:** Malicious package injection into public repositories (NPM and PyPI).
- **Details:**
* **NPM Attack:** Malicious package masquerading as a legitimate XML-RPC implementation introduced.
* **React Native Example Attack:** Malicious NPM package published mirroring an example from official React Native documentation.
* **PyPI Attack ($\text{aiocpa}$):** Legitimate package maintained for months before malicious, obfuscated versions (0.1.13, 0.1.14) were introduced in November 2024.
### Lateral Movement
- **Details:** Not explicitly detailed, but the $\text{aiocpa}$ package leveraged malicious code within the software build/execution process to steal credentials.
### Data Exfiltration/Impact
- **Details:** Primary impact focused on **cryptocurrency credential theft** via Telegram and **cryptocurrency mining operations** occurring on infected machines.
### Detection & Response
- **How it was discovered:** Ongoing analysis by security researchers (e.g., Checkmarx) and official advisories (e.g., PyPI advisory on $\text{aiocpa}$ on Nov 25, 2024).
- **Response actions taken:** PyPI published an advisory for the $\text{aiocpa}$ package. Security teams continue to hunt for and remove malicious packages.
## Attack Methodology
- **Initial Access:** Supply Chain Compromise (Injecting malicious code into legitimate-appearing or seemingly benign library versions).
- **Persistence:** Established through the long-term presence of the malicious package in repositories over many months/a year.
- **Privilege Escalation:** Not explicitly detailed, but gaining control over the execution environment to run mining/theft scripts.
- **Defense Evasion:** Use of obfuscated malware ($\text{aiocpa}$) and maintaining a clean GitHub repository while weaponizing repository versions.
- **Credential Access:** Stealing cryptocurrency credentials, often targeted for exfiltration via Telegram.
- **Discovery:** Internal research and monitoring of package repositories.
- **Lateral Movement:** Implicitly through developers integrating the compromised package into their projects.
- **Collection:** Targeting cryptocurrency wallet details.
- **Exfiltration:** Data exfiltrated via communication channels (e.g., Telegram hook).
- **Impact:** Cryptocurrency theft and unauthorized resource consumption (mining).
## Impact Assessment
- **Financial:** Direct financial loss via stolen cryptocurrency; indirect costs associated with incident investigation and remediation.
- **Data Breach:** Theft of proprietary cryptocurrency credentials.
- **Operational:** Potential operational disruption on *dozens* of machines involved in mining and data collection.
- **Reputational:** Damage to trust in specific open-source ecosystems (NPM, PyPI) and the risk associated with following official documentation examples.
## Indicators of Compromise
*(Note: Indicators are presented as general types, as the specific package names are malicious and not defanged/sanitized for live blocking)*
- **Network indicators:** Communication channels used for credential exfiltration (e.g., Telegram API hooks related to the malicious package).
- **File indicators:** Obfuscated binary or script components found within package archives (e.g., versions 0.1.13/0.1.14 of $\text{aiocpa}$).
- **Behavioral indicators:** Unexpected outbound network connections from build environments or execution of cryptocurrency mining processes that consume high CPU resources.
## Response Actions
- **Containment measures:** Public advisories issued by repository maintainers (PyPI) to warn users.
- **Eradication steps:** Removal/quarantine of malicious package versions from repositories.
- **Recovery actions:** Developers who integrated the packages must check their environments for residual malware, rotate any compromised cryptocurrency credentials, and audit package sources.
## Lessons Learned
- Attackers are frequently using "legitimate-first" package strategies, establishing trust over extended periods before weaponization.
- Exploiting official documentation examples remains an effective social engineering technique to bypass developer skepticism.
- Cryptocurrency remains a primary monetization target for supply chain attacks.
- Security scrutiny must be applied even when integrating components referenced in official developer guides.
## Recommendations
- **Enhanced Vetting:** Implement stricter internal security policies requiring enhanced vetting for package dependencies, even those frequently used or linked in official documentation.
- **Automated Scanning:** Increase use of sophisticated Software Composition Analysis (SCA) tools capable of detecting obfuscation, unusual persistence mechanisms, and post-install behavior.
- **Monitoring:** Monitor dependency behavior in development and staging environments for unauthorized network calls or unusual resource utilization (CPU spikes indicative of crypto mining).
- **Supply Chain Integrity:** Continue monitoring repository verification progress (like the example seen in PyPI regarding package metadata).