Full Report
October 2024 heralded a new chapter in supply chain security challenges, characterized by innovative attack techniques and cryptocurrency-focused threats. A groundbreaking entry point exploitation technique affecting multiple package ecosystems was unveiled, while the NPM ecosystem witnessed the first-ever use of Ethereum smart contracts for malware C2 infrastructure. The month also saw multiple sophisticated attacks on cryptocurrency wallets through PyPI packages and a notable compromise of the popular lottie-player package, despite 2FA protections, highlighting the increasing complexity of supply chain security threats.Let’s delve into some of the most striking events of October:https://medium.com/media/c0eb27b97763c315c90647b96740d6d3/hrefThis New Supply Chain Attack Technique Can Trojanize All Your CLI CommandsA new supply chain attack technique exploits entry points in various programming ecosystems, allowing attackers to trojanize CLI commands. This stealthy method poses risks to developers and enterprises, bypassing traditional security checks. (Link to report).https://medium.com/media/4347d8a78c17bbeecd894d8a733905a9/hrefWith 2FA Enabled: NPM Package lottie-player Taken Over by AttackersNPM package lottie-player compromised via leaked automation token, bypassing 2FA. Malicious versions injected code to trick users into connecting crypto wallets. Swift response: safe version released, compromised versions unpublished. (Link to report).https://medium.com/media/d833046746c6abb32a0b8239ad57b27f/hrefCrypto-Stealing Code Lurking in Python Package DependenciesA sophisticated cyber attack on PyPI targeted cryptocurrency wallets through malicious packages. The attack used deceptive strategies, distributed malicious code across dependencies, and only activated when specific functions were called, making detection challenging. (Link to report).Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain AttackA malicious PyPI package “cryptoaitools” targeted cryptocurrency enthusiasts through a multi-vector supply chain attack. It used deceptive GUI, multi-stage infection, and comprehensive data exfiltration to steal crypto-related information from Windows and macOS users. (Link to report).Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform MalwareA sophisticated NPM supply chain attack uses Ethereum smart contracts for C2 distribution. The cross-platform malware, targeting popular testing packages, affects Windows, Linux, and macOS through Typosquatting and preinstall scripts. (Link to report)Our team will continue to hunt, squash attacks, and remove malicious packages in our effort to keep the open-source ecosystem safe.I encourage you to stay up to date with the latest trends and tactics in software supply chain security by tuning into our future posts and learning how to defend against potential threats.Stay tuned…Working to Keep the Open Source Ecosystem SafeOctober 2024 in Software Supply Chain Security was originally published in Checkmarx Zero on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Incident Report: October 2024 Software Supply Chain Threats
## Executive Summary
October 2024 was marked by a surge in sophisticated supply chain attacks targeting developers and cryptocurrency users across multiple package ecosystems (NPM, PyPI). Key threats included a novel technique to trojanize CLI commands, the use of Ethereum smart contracts for C2 infrastructure, and the compromise of the popular NPM package `lottie-player` despite 2FA protection. Response efforts centered on identifying and removing malicious packages and releasing safe versions to minimize further impact on end-users.
## Incident Details
- **Discovery Date:** Throughout October 2024 (as incidents were identified and reported)
- **Incident Date:** Throughout October 2024
- **Affected Organization:** Multiple organizations utilizing open-source dependencies, specifically users of NPM and PyPI ecosystems. Targets included developers and cryptocurrency enthusiasts.
- **Sector:** Software Development/Technology, Cryptocurrency/Finance
- **Geography:** Global (affecting multi-platform software distribution)
## Timeline of Events
### Initial Access
- **Date/Time:** October 2024
- **Vector:** Exploitation of entry points in programming ecosystems, compromised package maintainer accounts, and deceptive dependency placement.
- **Details:**
1. **CLI Trojanization Technique:** New technique exploited package entry points to inject malicious code that trojanizes common CLI commands used by developers.
2. **`lottie-player`:** Compromise occurred via a leaked automation token, bypassing 2FA controls for the NPM package maintainer account.
3. **PyPI Attacks:** Malicious packages (e.g., "cryptoaitools") used deceptive GUIs and dependency confusion to install cryptocurrency-stealing code.
### Lateral Movement
- **NPM/Malware Distribution:** Cross-platform malware targeting Windows, Linux, and macOS was distributed via malicious preinstall scripts embedded in compromised packages and utilized Ethereum smart contracts for Command and Control (C2).
- **PyPI:** Malicious code was distributed across package dependencies and only activated upon the execution of specific functions related to cryptocurrency tasks.
### Data Exfiltration/Impact
- **Crypto Theft:** Multiple attacks targeted cryptocurrency wallets via PyPI packages.
- **Information Theft:** The `cryptoaitools` package specifically aimed for comprehensive data exfiltration related to crypto assets from Windows and macOS users.
- **Code Execution:** The CLI trojanization technique allowed attackers to execute arbitrary commands under the guise of normal developer operations.
### Detection & Response
- **Detection:** Incidents were discovered through security research (e.g., Checkmarx Zero's ongoing hunting efforts).
- **Response Actions:**
* Swift response resulted in the release of safe versions for compromised packages (e.g., `lottie-player`).
* Compromised, malicious package versions were unpublished from repositories.
* Researchers continued to hunt for and remove threats across open-source ecosystems.
## Attack Methodology
- **Initial Access:** Exploitation of package ecosystem entry points; Compromise of maintainer accounts via leaked automation tokens (bypassing 2FA on NPM).
- **Persistence:** Potential persistence mechanisms leveraged through malicious code embedded deep within dependencies.
- **Privilege Escalation:** Not explicitly detailed, but code execution via malicious installation scripts implies immediate execution privileges upon package installation/use.
- **Defense Evasion:** Deceptive strategies in PyPI attacks used code that only activated upon specific function calls, making static analysis difficult.
- **Credential Access:** Focused heavily on stealing cryptocurrency wallet information.
- **Discovery:** Not explicitly detailed, but reliance on known package ecosystems suggests attackers mapped popular/trusted targets.
- **Lateral Movement:** Use of preinstall scripts and leveraging existing dependency chains.
- **Collection:** Gathering crypto-related information from targeted operating systems (Windows/macOS).
- **Exfiltration:** Comprehensive data exfiltration targeted in the PyPI attacks.
- **Impact:** Financial loss due to crypto theft; supply chain compromise affecting developer tooling.
## Impact Assessment
- **Financial:** Potential financial loss for users targeted by crypto theft.
- **Data Breach:** Exposure of cryptocurrency wallet credentials and other sensitive data from affected users.
- **Operational:** Disruption to development pipelines due to the introduction of trojanized tools and reliance on untrustworthy dependencies.
- **Reputational:** Damage to trust in the integrity of public package repositories like NPM and PyPI.
## Indicators of Compromise
*(Note: Specific IPs/Domains are defanged as per instructions, using placeholders based on attack vectors described)*
- **Network indicators:** Use of Ethereum smart contracts as C2 infrastructure. Potentially communication to external endpoints controlled by attackers for data exfiltration.
- **File indicators:** Malicious code injected into package installation/execution lifecycle scripts (e.g., preinstall scripts).
- **Behavioral indicators:** Attempts to interact with or modify cryptocurrency wallet files/processes; execution of unexpected commands following package installation.
## Response Actions
- **Containment measures:** Immediate removal/unpublishing of malicious versions of packages (`lottie-player`, PyPI crypto packages).
- **Eradication steps:** Developers needed to audit their dependencies and remove any infected versions, reinstalling from verified sources.
- **Recovery actions:** Release of patched and verified package versions to the public ecosystems.
## Lessons Learned
- **2FA can be bypassed:** Relying solely on standard 2FA is insufficient if automation tokens or credentials used by maintainers are compromised.
- **Ecosystem diversity:** Threats are spreading across diverse ecosystems (NPM, PyPI) utilizing novel techniques (Smart Contract C2).
- **CLI Risk:** New attack vectors explicitly target developer tooling (CLI utilities) for deep, sustained compromise.
- **Obfuscation:** Attacks leveraging dependency chains and conditional code execution are highly effective at evading detection.
## Recommendations
- **Strengthen Account Security:** Implement stricter token management and session oversight for package maintainers, especially for automated processes, beyond standard 2FA.
- **Dependency Auditing:** Mandate pre-release scanning and monitoring for packages, focusing on initialization scripts and dependency graphs.
- **Runtime Security:** Implement controls that monitor and restrict unusual behavior during application installation and runtime, specifically looking for crypto API interactions or file system modification in non-standard locations.
- **Utilize Verified Sources:** Favoring packages with high adoption, strong maintainer vetting, or utilizing private artifact repositories where practical.