<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">

RL Blog

|

Threat research roundup: Lessons learned from recent PyPI and npm supply chain attacks

RL threat researchers have discovered multiple malicious campaigns on open source repositories. Join the webinar to discuss key takeaways for app sec teams.

Carolynn van Arsdale
Blog Author

Carolynn van Arsdale, Writer, ReversingLabs. Read More...

Webinar-Research-Round-Up-OnDemand-1400x732px

Security teams are well aware of the growing problem of software supply chain attacks, but it’s essential that organizations stay abreast of the various threats posed to software supply chains.

One of the pain points that organizations need to learn more about and defend against is malicious campaigns found on open-source software repositories. Repositories such as npm and PyPI are used globally by developers to build software applications, and attackers in recent years have taken great advantage of that.

By using the ReversingLabs Software Supply Chain Security platform, ReversingLabs threat researchers are able to consistently search for, detect, and analyze malicious campaigns on these repositories. Their findings are also enriched by having access to the largest private repository of goodware and malware files in the world, started by RL over a decade ago.

This summer, RL researchers made three major discoveries on open-source repositories, which yielded greater insight into the nature of these malicious campaigns. Join RL's  September 14 webinar, which will be hosted by RL's Paul Roberts, featuring RL threat researcher Lucija Valentić, where they will give a rundown of this summer’s discoveries, how the three incidents compare and contrast — and lessons learned.

Here’s a review of the open-source software supply chain attacks discovered and analyzed by RL researchers. Read up — and bring your questions for the hosts. 

[ Watch Webinar: Threat Research Round-Up: Unpacking The Latest PyPI and NPM Supply Chain Attacks ]

Operation Brainleeches

This campaign, discovered back in early July, is an interesting one that not only has a software supply chain security element to it, but is also tied to phishing attacks. Initially, RL researchers discovered more than a dozen packages on the npm open-source software repository, showcasing the inevitability of these malicious packages causing software supply chain attacks that target application end users.

However, by taking a deeper dive into the composition of these packages, researchers were also able to assert that these malicious packages were supporting email phishing campaigns targeting Microsoft 365 users. Therefore, Operation Brainleeches may be one of the first cases of a dual-use malicious campaign on the npm repository. 

The facts:

  • The malicious packages were posted to npm between May 11 and June 13.
  • The packages mimic legitimate, popular packages, including jquery, which has 7 million weekly downloads.
  • Packages were downloaded around 1,000 times before being removed from npm shortly after RL discovered them.

Software-producing and -consuming organizations alike should take the time to review their software packages’ components to ensure that they do not use or contain this set of malicious packages. 

Roblox game devs targeted on npm

Threat actors targeted gaming developers in this malicious campaign, where RL researchers found over a dozen malicious packages on npm that imitate a legitimate package, noblox.js, which is a Node.js Roblox API wrapper used by developers to write scripts that interact with the Roblox gaming platform. The packages placed Luna Grabber, an information-stealing malware, onto infected systems.

This campaign is a common example of how threat actors take advantage of popular repositories to spread malware and other malicious components. 

The facts:

  • While this was an open malicious campaign on the npm platform, it was targeted to gaming developers specifically based on the popular package attackers mimicked. 
  • Users are less likely to suspect the information-stealing malware, because the malicious packages still use the legitimate code in addition to the malicious code. 
  • This is not the first time Roblox gaming developers have been targeted. In 2021, Sonatype discovered a similar typosquatting campaign that mimicked the same popular package. 

While this attack was targeted primarily at gaming developers, rather than to a wider developer base, this campaign showcases how threat actors are able to specifically target a certain industry by mimicking packages popular to that industry’s developer base, which could happen to banking, commerce, healthcare, etc. 

VMConnect: Malicious campaign on PyPI 

In the case dubbed the “VMConnect” campaign, RL researchers showed that it takes prolonged searching and analysis, even after an initial discovery, to get the full picture of a malicious campaign. Starting on July 28, several malicious packages were uploaded to the PyPI open-source repository, and at the time of the initial report, RL researchers identified 24 of them. These first 24 packages imitated three legitimate and popular open-source Python tools: vConnector, eth-tester, and databases

However, researchers began to notice that as these malicious packages were being detected and reported to PyPI, more were being added to the repository on a daily basis. This led to a second major discovery, which included not only the discovery of three more malicious packages found on PyPI, but also the attribution of the campaign onto a subset of the popular North Korean state-sponsored threat group Lazarus, known as Labyrinth Chollima.  

The facts:

  • This campaign is different from ones such as Operation Brainleeches in that the malicious packages display an effort among threat actors to deceive developers beyond typosquatting. 
  • Researchers were able to attribute the campaign to Labyrinth Chollima based on the malicious packages used and their decrypted payloads, which have been used in the threat group’s previous campaigns. 
  • Researchers believe that this campaign could have possible links to earlier software supply chain campaigns attributed to North Korean threat actors. 
  • In the second leg of this campaign, threat actors designed the malicious packages so that they could not be detected by dynamic application security testing (DAST) tools.

The VMConnect campaign raises several concerns. Not only should developer teams become more mindful of how deceptive typosquatted packages can be, but security teams should also be reconsidering their arsenal of tools that should go beyond DAST. And additionally worrying is the fact that nation-state adversaries could be using open-source repositories as a new attack vector. 

[ Replay Webinar: Threat Research Round-Up: Unpacking The Latest PyPI and NPM Supply Chain Attacks ]

Bring your questions

Leaders concerned about these kinds of malicious campaigns will need to take the time to fully understand the threats posed to their organizations. Leaders also need to learn that no two malicious campaigns found on open-source repositories are the same. This is why developer teams need to be brought up to speed on what kinds of campaigns to look out for and why security teams need more comprehensive tools that can actually spot these campaigns. 

Join this webinar and hear directly from one of RL’s leading threat researchers who was a part of these discoveries, and get the answers you are looking for in regard to maturing your organization’s security posture. Leaders should refer to this blog post as a starting point for questions they can directly ask these experts. 

Keep learning


Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

More Blog Posts

    Special Reports