back to article Mystery of industry-targeting backdoored NPM JavaScript packages solved

Malicious packages in the NPM Registry that security researchers for weeks believed were being used to stage supply-chain attacks against prominent industrial companies in Germany turned out to be part of a penetration test run by a cybersecurity company. Researchers at Snyk in late April published a blog post about a …

  1. Pascal Monett Silver badge

    So, all this hoopla for an intern

    Tell me, is it normal that a company supposedly working for several customers goes and posts its code on a public repository ?

    This Cloud thing is driving people nuts. Yes, I can imagine that using GitHub is a great convenience, but for Pete's sake, you're writing sensitive code that is destined to do something for your customers !

    Get that stuff off the Internet and back onto a private, secured server !

    1. Anonymous Coward
      Anonymous Coward

      Re: Get that stuff off the Internet and back onto a private, secured server !

      Customer explicitly asks for it be on github and pays me well to put it there.

      All I can do is bring up the risks as often and clearly as I can.

  2. Anonymous Coward
    Anonymous Coward

    "Finest Hacking"

    "Code White Finest Hacking", well at least the logo is not ambiguous.

    Süddeutsche Zeitung, German newspaper, receives all those financial leaks. Based in Stuttgart. Weird that, all those "whistleblowers" around the world, want to approach a German regional newspaper, sometimes lots of them across 13 companies all at the same time, all keen to share their leaks and practise their German. So very like a German state sponsored hack of low taxation states by a high tax state for propaganda puposes. One with an FIU that can legally hack for such purposes, with a suboffice in Mannheim.

    CodeWhite, started in a house in Stuttgart (70597 Stuttgart) now does hacking, their job requirements specify "Security Clearance", so a State client and apparently they've been hugely successful, that newish Kaiserring Mannheim office is big money, not sure why they're so vague about its address really.

    So a self proclaimed hacking company, working for the State, puts a package out while investigating "dependency confusion" yet the package has a genuine surveillance payload.

    Nothing to see here, totally nothing, no need to look, why bother going doing any kind of digging or anything, just move along....

    1. Ic_fly2

      Re: "Finest Hacking"

      Sorry to rain on your conspiracy parade but Süddeutsche is the largest German centre left broadsheet and has a large investigative department.

      It is also based in Munich not Stuttgart.

    2. Anonymous Coward
      Anonymous Coward

      Re: "Finest Hacking"

      The SZ is one of the newspapers of record in Germany and have a highly experienced data journalism team (ever heard of the Panama papers?) If I had the need and opportunity to leak important stuff, they'd be at the top of my list.

  3. VoiceOfTruth Silver badge

    In two minds about this

    -> the way White Code ran their tests was "not very normal and it could have problematic implications."

    Well if you are only expecting attacks in normal ways perhaps you need to look at the way you do things. Let me put it this way. If you lock the doors to prevent burglars, don't complain if you are burgled when you leave your skylight window open because climbing through the roof is 'not very normal'. If your security measures are only looking for expected things, give us the name of your product or service and we will be sure to never buy it.

    Solarwinds comes to mind.

  4. iron Silver badge

    This just proves what I have always thought, in the majority of cases security researchers don't know what they are talking about. When they tell you a malware strain "is the work of a highly sophisticated actor, probably a nation state" what they really mean is it was written by a couple of teenagers in their bedroom whose coding style wasn't recognised because it is their first successful virus.

    Everything done by Code White in this story is how I would want a pen test done on systems I've created. It is a great advert for their services! Not so much for JFrog, ReversingLabs, et al.

  5. Doctor Syntax Silver badge

    Were these pen tests commissioned by the targeted companies? If not do Code White propose to reimburse the costs the targets spent on investigating the test?

    1. sten2012

      If it wasn't that wouldn't be a pentest/red team but a crime. And you probably wouldn't rush to admit it.

      So.. "yes", "no"

  6. innominatus

    "unclear how Code White got hold of internal packages names" - strings?

  7. Lis Bronze badge

    Oh dearie me

    Quote, However, Shachar Menashe, senior director of security research at JFrog, told The Register the way White Code ran their tests was "not very normal and it could have problematic implications Unquote.

    Given that someone has just shat on your strawberry patch, I am guessing that perhaps you are trying to clutch at any straw that would prevent you looking like publicity seeking knobhead.

    You have failed.

    You would have got more respect by saying something like "now don't I look like a right twat?" and then shut up and moved on.

    Just saying... Ishy

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like