Embedded Malware in Coa

137 点作者 StevePlea超过 3 年前

23 条评论

For anyone interested, the malicious code can be found in the following link:<a href="https://github.com/veged/coa/issues/99#issuecomment-961536877" rel="nofollow">https://github.com/veged/coa/issues/99#issuecomment-96153687...</a>TLDR: The attacker injected an attack code as coa's `preinstall` script, which executes an obscurely-named file ("compile.bat"). This file is fully obfuscated, but what it does is basically to pull exploit DLLs from the attacker's server and install 'em.I think the fortunate part of this accident is that the attacker failed to deploy the malware in his/her first attempt; v2.0.3 only contained the half of the changeset that the exploit needs to work (which accidentally broke tons of CI builds); So some developers could notice that something is wrong a bit early.

评论 #29118576 未加载

raesene9超过 3 年前

Earlier post (<a href="https://news.ycombinator.com/item?id=29111279" rel="nofollow">https://news.ycombinator.com/item?id=29111279</a>).The thing that should be causing concern is not so much these very loud obvious attacks, but how many better attacks that are harder to detect, are currently happening.With 1.7M packages and an ecosystem that favours lots of 3rd party package usage, NPM is a large target. Whilst NPM isn't the only repository to have this kind of issue, it's definitely the largest attack surface.

inbx0超过 3 年前

Reminder that people should seriously consider disabling the install-scripts.Personal system-wide config:<pre><code> npm/yarn config set ignore-scripts true -g </code></pre> and add & commit a .npmrc/.yarnrc file with<pre><code> ignore-scripts true </code></pre> Yes, this will cause headaches in some (increasingly rare) cases where some package actually needs those scripts. You can fix this with custom install scripts that take care of running install for those specific packages.And yes yes, as people love to point out, this isn't exactly a bulletproof solution either. The attacker could just put the malicious code inside the package's code and wait for it to be actually executed. But again and again, they don't, they choose to use the package's install scripts as the place to do their dirty work.So in practice this policy would've alrady protected you from who knows how many of these attacks, and my guess is that it'll continue to do so.

评论 #29118389 未加载

评论 #29118460 未加载

评论 #29125458 未加载

perihelions超过 3 年前

A separate advisory says the npm package "rc" is also compromised. That's also a highly popular one, according to the npmjs stats (1,323 dependents; 14.2 million weekly downloads).<a href="https://github.com/advisories/GHSA-g2q5-5433-rhrf" rel="nofollow">https://github.com/advisories/GHSA-g2q5-5433-rhrf</a> (" Embedded malware in rc" "critical severity")Notable that both advisories link to the virustotal entry for the same file hash (same malware).@dang Could the title be updated to include the names of other affected packages?

EdwardDiego超过 3 年前

For anyone else wondering, Coa is a CLI arg parser for Node.

loa44hh100超过 3 年前

This makes me appreciate Deno's focus on security. Having things like file and network access 'opt in' seems like a no brainer when we see how easy it is to simply install an npm package and find yourself vulnerable to malware.

评论 #29118543 未加载

评论 #29119047 未加载

r6203超过 3 年前

Are other languages/runtimes also that risky as Node with npm?npm packages seem like a cardhouse.I know that the node_modules folder is often times criticized for its sheer amount of 3rd party libraries. Is it because of JavaScripts "missing" standard library?

评论 #29118730 未加载

评论 #29119034 未加载

评论 #29118621 未加载

strogonoff超过 3 年前

It seems like this was caught soon because it broke many builds. Imagine if this change was hidden better.

评论 #29118115 未加载

capableweb超过 3 年前

What a worthless advisory, how about sharing who could possibly be affected at the very top, or at least anywhere?Going to the issue, it seems the `preinstall` field was changed to `start /B node compile.js & node compile.js",` which means this would only run on Windows machines, everyone else seems to be unaffected.Here is how you can find out if you have the affected package on your machine/instance:<pre><code> find ~/projects/ -name "*coa*" | xargs -I {} jq .version {}/package.json 2>/dev/null </code></pre> Assumes you have `find`, `xargs` and `jq` installed, will print all versions of coa it can find. Seems any version above 2.0.3 is bad.Edit: is anyone sitting on the source for `compile.js` as mentioned? Would be interesting to see.

评论 #29117494 未加载

评论 #29117925 未加载

评论 #29118963 未加载

_wldu超过 3 年前

It seems that all of these should be cryptographically signed by a developer's private key before publication and then verified by others before use. Is that not the case?

评论 #29118019 未加载

评论 #29118306 未加载

评论 #29118930 未加载

dromma超过 3 年前

NPM seems to be a lot of issues <a href="https://github.com/advisories?page=1&query=malware" rel="nofollow">https://github.com/advisories?page=1&query=malware</a>

keewee7超过 3 年前

The Coa NPM package has 8.8 million weekly downloads. The vast majority of the downloads is from being a dependency in other packages.Is it possible to check how many downloaded the compromised versions?<a href="https://www.npmjs.com/package/coa" rel="nofollow">https://www.npmjs.com/package/coa</a>

peanut_worm超过 3 年前

Why can’t there just be multiple curated repositories like how Linux distros do it?Having NPM just be a free-for-all is a ticking time bomb. It is only a matter of time before an event like this results in something very serious.

评论 #29118766 未加载

评论 #29118417 未加载

ryukafalz超过 3 年前

Your periodic reminder that modules have way more authority than they need by default, and that there are ways to fix this: <a href="https://medium.com/agoric/pola-would-have-prevented-the-event-stream-incident-45653ecbda99" rel="nofollow">https://medium.com/agoric/pola-would-have-prevented-the-even...</a>(Of course this malware was in a preinstall script, which should also be disabled... but any module you import in a node app can do bad things when you run your app, preinstall script or no.)

eqmvii超过 3 年前

If I'm reading this correctly, the malicious code was new (higher) versions of the releases.Would this mean any project using a package.lock/yarn.lock was 'safe' going through deploys? So only new installs and builds without lock files could have grabbed the higher version?If so, I wonder if it's hard or impossible to swap a release version on NPM. Seems like that would hit a much wider audience before being detected.

ricksunny超过 3 年前

My read of the headline was that this was malware in embedded hardware electronics systems, or describing some exploit / attack surface for same.May I suggest that a clearer phrasing would be ‘Malware embedded in Coa’? Or is ‘embedded malware’ a somewhat confusing term-of-art in the cybersec community?

rafaelturk超过 3 年前

As bad as this may sound, this is why a love Open Source, npm and the JavaScript ecosystem. It super easy to audit and check the code.What is missing is more automated and recurrent checks in all the packages and downstream dependencies.

评论 #29118051 未加载

评论 #29117966 未加载

评论 #29118042 未加载

评论 #29119981 未加载

BonoboIO超过 3 年前

Using npm is like russian roulette. Someday it makes your head hurt really bad!

thrdbndndn超过 3 年前

What exactly is the malicious code? I assume it's in `compile.js` and only can be found in published (now removed) npm package instead of source code repo?

评论 #29117643 未加载

haunter超过 3 年前

Is <a href="https://www.virustotal.com" rel="nofollow">https://www.virustotal.com</a> good? I saw it referenced but never used

评论 #29117971 未加载

评论 #29118202 未加载

评论 #29117995 未加载

评论 #29123188 未加载

ChrisLTD超过 3 年前

Looks like you might be compromised by this rogue Coa package if you use Windows and you installed or updated npm packages on November 4.

jcfrei超过 3 年前

How do you add a new version to npm? Was the devs account hacked or how does that work?

评论 #29117964 未加载

评论 #29123145 未加载

joshuanapoli超过 3 年前

How long were the compromised versions available from npm?