back to article Hijacked S3 buckets used in attacks on npm packages

Miscreants are using expired Amazon Web Services (AWS) S3 buckets to place malicious code into a legitimate package in the npm repository without having to tinker with any code. Software security firm Checkmarx said it began investigating after GitHub late last month posted an advisory about several releases of an npm package …

  1. JessicaRabbit

    For those of you, like me, left scratching their heads about what the actual attack was after reading the article: The attack was that an older version of the npm package pulled binaries from an S3 bucket during installation. The bucket was deleted and the attackers created a bucket of their own with the same name (S3 bucket names are globally unique) and served poisoned binaries from that bucket. Presumably this worked because there are codebases still using the older versions of bignum and CI/CD and new devs working on the codebase are installing the older package and getting the poisened binaries in the process.

    1. b0llchit Silver badge
      Facepalm

      And yet again it is proven that "cloudly stored de-central non-accountable development" is a risky business.

      But then, the "need" for npm in this form is just asking for problems. Why do we need so many disjoint "libraries"? I've seen dependency-trees pulling in 100+ packages from all over the place. That is just obscene. Sure, the base language library is lacking, but fewer packages that supply a proper and universal library platform would surely be appreciated. That would also make your attack surface a lot smaller.

  2. Anonymous Coward
    Linux

    Attack of the “open source” FUD MONSTER

    “a quick glance through the open-source ecosystem reveals that dozens of packages are vulnerable to this same attack.”

    Do tell, don't spare the details!

    “Attackers poisoned the NPM package “bignum” by hijacking the S3 bucket”

    “About 6 months ago, this bucket was deleted .. This opened the bucket to a takeover”

    “When the bucket is deleted, the name becomes available again.”

    A bit of a defect in the S3 non-open-source infrastructure.

    “This counterfeit. node ..also added a malicious payload that waws”

    ‘Was’ shurly ?

    1. Missing Semicolon Silver badge

      Re: Attack of the “open source” FUD MONSTER

      The issue is not the ability to re-use S3 bucket names - it's the use of S3 buckets to distribute code that are not under the control of NPM at all! Since nobody wants to pay for the hosting, the original authors are using (presumably "free") resources to distribute it. It's like the whole thing is a college project!

      If hosting costs are a problem, make the central repos have fairly draconian rate limits, so that anything beyond hobby usage requires a local mirror.

  3. Anonymous Coward
    Anonymous Coward

    "bignum" already reached appendix status, so nobody cared about it

    It states clearly on the NPM bignum package page ... JavaScript now has a BigInt object. If you are using Node 10.4 or newer, you should use or migrate to BigInt.

    10.4 was, at the latest, released before April 2021, about the some date for all browsers. Currently still has 2,000 to 3,000 weekly downloads from NPM.

    The "nice" thing to have done would have been to keep the bignum API but replace the implementation of bignum with the new JS-native bigint, and no other dependencies, so existing clients could keep running their code without any changes in complete safety.

    Interestingly, one of the 3 collaborators on the npm bignum project page is named bitcoinjs. Of course, you should never judge a crbook by it's cover.

  4. Reaps

    WTF are people dynamically linking to fucking source in cloud shit?

    Are modern devs all hipster lazy fuckers?

    Learn how to build apps properly you hipster wankers.

  5. spireite Silver badge

    Reused bucket name

    While I understand the bucket name becomes available, the crims must be incredibly lucky to be allocated the name that was previously used... Aren't they?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like