The world of mobile app development has been hit by another devastating attack, this time targeting npm packages. The malicious actors behind the previous Nx attack have struck again, compromising a staggering 187 packages, including some from CrowdStrike.

Worming Its Way Through the Ecosystem

This latest attack is particularly insidious, as it's turned into a full-fledged worm that spreads automatically, infecting package after package. The attackers' playbook is eerily similar to the original attack, but they've upped their game, using the same techniques to compromise an unprecedented number of packages.

What the Worm Does

The malicious payload has three primary goals: harvest secrets from the host and CI environment, exfiltrate sensitive information to GitHub and Cloud metadata endpoints, and propagate the infection by updating packages controlled by the compromised maintainer. It also amplifies its impact by making repositories public or adding workflows that trigger further runs and leaks.

Leaking of Secrets

As with the original Nx attack, this malicious payload is engaged in a smash-and-grab style attack, publishing stolen credentials and tokens on GitHub and turning private repositories public. The attackers are using the same worm logic to spread their malware, making it difficult for developers to stay ahead of the curve.

Self-Propogation through npm

One of the most striking features of this attack is its ability to self-propagate through npm, allowing it to re-publish itself into other packages owned by the compromised maintainer. This cycle ensures that once a single environment is compromised, the worm can continuously infect every package a maintainer has access to.

How to Avoid Being Compromised

To avoid being hit by this mobile app development nightmare, it's essential to take proactive measures:

  • Check the versions you're using
  • Clean your npm cache
  • Reinstall all packages in your repository
  • Make sure you use a package lock file and pinned versions

Remediation Advice

If you're already an Aikido user, check your central feed for malware issues. If not, set up an account and connect your repos to get protected. For future protection, consider using Aikido SafeChain, a secure wrapper for npm, npx, yarn, and pnpm that verifies packages against Aikido Intel's open-source threat intelligence.

How to Tell if You're Affected

As an Aikido user, check your central feed and filter on malware issues. The vulnerability will be surfaced as a 100/100 critical issue in the feed. If you're not yet an Aikido user, set up an account and connect your repos to get protected.

Remember, mobile app development is all about innovation, but it's also crucial to stay ahead of threats. By understanding the worm's behavior and taking proactive measures, you can safeguard your projects and ensure a secure future for your users.