Lucene search

K
thnThe Hacker NewsTHN:6F80101F49525926BD1F078F24670474
HistoryAug 28, 2023 - 3:40 p.m.

Developers Beware: Malicious Rust Libraries Caught Transmitting OS Info to Telegram Channel

2023-08-2815:40:00
The Hacker News
thehackernews.com
26
rust programming language
supply chain attack
phylum report
operating system information
telegram channel
software supply chain attack
ssh keys
sentinelone
npm package
data exfiltration
python package index

Malicious Rust Libraries

In yet another sign that developers continue to be targets of software supply chain attacks, a number of malicious packages have been discovered on the Rust programming language’s crate registry.

The libraries, uploaded between August 14 and 16, 2023, were published by a user named “amaperf,” Phylum said in a report published last week. The names of the packages, now taken down, are as follows: postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger.

It’s not clear what the end goal of the campaign was, but the suspicious modules were found to harbor functionalities to capture the operating system information (i.e., Windows, Linux, macOS, or Unknown) and transmit the data to a hard-coded Telegram channel via the messaging platform’s API.

Cybersecurity

This suggests that the campaign may have been in its early stages and that the threat actor may have been casting a wide net to compromise as many developer machines as possible to deliver rogue updates with improved data exfiltration capabilities.

“With access to SSH keys, production infrastructure, and company IP, developers are now an extremely valuable target,” the company said.

This is not the first time crates.io has emerged as a target of a supply chain attack. In May 2022, SentinelOne uncovered a campaign dubbed CrateDepression that leveraged typosquatting techniques to steal sensitive information and download arbitrary files.

The disclosure comes as Phylum also revealed an npm package called emails-helper that, once installed, sets up a callback mechanism to exfiltrate machine information to a remote server and launches encrypted binaries that are shipped with it as part of a sophisticated attack.

Cybersecurity

The module, which was advertised as a “JavaScript library to validate email address against different formats,” has been taken down by npm but not before it attracted 707 downloads since it was uploaded to the repository on August 24, 2023.

“Data exfiltration is attempted via HTTP, and if this fails, the attacker reverts to exfiltrating data via DNS,” the company said. “The binaries deploy penetration testing tools like dnscat2, mettle, and Cobalt Strike Beacon.”

“A simple action like running npm install can set off this elaborate attack chain, making it imperative for developers to exercise caution and due diligence as they carry out their software development activities.”

Malicious packages have been discovered on the Python Package Index (PyPI) as well, which attempt to steal sensitive information from infected systems as well as download an unknown second-stage payload from a remote server.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.