Malicious npm package targets AWS users

June 27, 2024, 9:26 a.m.

Description

ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later version included a postinstall script that downloaded and executed a backdoor payload. The package's history demonstrates the challenges of monitoring open source repositories for threats, and RL introduced Spectra Assure Community to help developers assess package risks.

External References

https://www.reversinglabs.com/blog/a-lurking-npm-package-makes-the-case-for-open-source-health-checks
https://otx.alienvault.com/pulse/667d1bbf813faaa5009fbfd6
Tags
backdoor
supply-chain
2024-06-27
npm
aws

Date

  • Created: June 27, 2024, 7:58 a.m.
  • Published: June 27, 2024, 7:58 a.m.
  • Modified: June 27, 2024, 9:26 a.m.

Indicators

  • secure.software
  • 5c3d87cdd9aa9cb28bc3240317983554b40e3f8e47ef8447bba1103d73bfee17
  • 91.238.181.250
Download all indicators here!

Attack Patterns

  • legacyreact-aws-s3-typescript
  • T1559.001
  • T1195.002
  • T1608
  • T1105
  • T1190