A significant supply chain attack after the 16 popular Glustac ‘React-Ati-Aaria’ packages entered into an agreement to include malicious codes with more than 950,000 weekly downloads to NPM that serves as remote access trojan (RAT).
Bleepingcomputer determined that the agreement began on EST at 4:33 pm on June 6, when the NPM was published a new version of the React-Or-Area/Focus package. Since then, 16 out of 20 Glustac React-element-area package NPM has been compromised, the danger actors have recently published a new version two hours ago.
Source: Bleepingcomputer
The supply chain attack was discovered by cyber security firm Aikido security, Who was injected into the discovered code lib/index.js File for the following packages:
| Package name | version | Weekly download |
| Response-origin/button | 0.2.11 | 51,000 |
| Response-Mool Region/Checkbox | 0.2.11 | 81,000 |
| React-element-area/combx | 0.2.10 | 51,000 |
| Reaction-country-field/disclosure | 0.2.9 | 3 |
| React-element-area/focus | 0.2.10 | 100,000 |
| Reaction-country field/interaction | 0.2.17 | 125,000 |
| Reaction-country field/listbox | 0.2.10 | 51,000 |
| Response-Menu/Menu | 0.2.16 | 22,000 |
| Reaction-Rule area/overlay | 0.3.16 | 96,000 |
| Reaction-country area/radio | 0.2.14 | 78,000 |
| Response | 0.2.5 | 477 |
| Reaction-country area/tole | 0.2.12 | 81,000 |
| Reaction-country-field/use | 0.2.13 | 120,000 |
| Gluestack-UI/Uses | 0.1.17 | 55,000 |
| Reaction-country-field/divider | 0.2.7 | 65 |
| React-element-area/slider | 0.2.13 | 51,000 |
These packages are very popular, with around 960,000 weekly downloads, it creates a supply chain attack that can have widespread consequences.
The malicious code is heavily unbroken and added to the last row of the source code in the file, padded with several locations, so it is not easily seen when using the code viewer on the NPM site.
Source: Bleepingcomputer
Aikido told bleepingcomputer that malicious code is almost similar to a remote access trojan He discovered another NPM agreement Last month.
The analysis of the researcher of the previous expedition shows that remote access will connect to the command and control server of Trojan attackers and receive commands to execute.
These orders include:
- CD – Change current work directory
- SS_DIR – Reset the directory on the script path
- SS_FCD:
- SS_UPF: F, D – Upload single file f on destination D
- SS_UPD: D, Dest – Upload all files under directory D to destroy destination
- SS_Stop – The current upload sets a stop flag to disrupt the process
- Any other input – Treated as a shell command, executed through Child_Process.exec ()
The Trojan Path environmental variables by presenting a fake python path (%localappdata%\ _ python3127), hijaches the Windows Path, which allows the malware to be quietly overridged to perform a legitimate python or PIP command to execute the malicious bidle.
Aikido supremely researcher Charlie Ericseen has tried to contact Gluestack by creating Github issues Each repository of the project, but there is no response at this time.
“There is no response from package maintenors (this is Saturday morning in the US, which is actually happening now),” Archido told BlappingCompter.
“NPM we have approached and reported each package, this is a process that usually takes several days to address NPM.”
Aikido also blames this attack to the same danger actors who compromised on four other NPM packages earlier this week. Bietec-VAM-GAS-Station, CPUTIL-Node, Lfwfinance/sdkAnd lfwfinance/sdk-dev,
Bleepingcomputer arrived for glutencac about compromised packages, but no response was received at this time.
Patching meant complex scripts, long and endless fire drills. No more.
In this new guide, the tines break down how it is leveling with modern organ automation. Patch fast, reduce overhead, and focus on strategic tasks – no complex script is required.
