In November 2024, supply chain attacks featured two key trends: attackers’ persistent use of “legitimate-first” package strategies and creative approaches like exploiting official documentation. Cryptocurrency remained the primary target through both credential theft and mining operations.
Let’s delve into some of the most striking events of November:
Dozens of Machines Infected: Year-Long NPM Supply Chain Attack Combines Crypto Mining and Data Theft
A malicious NPM package, masquerading as a legitimate XML-RPC implementation, operated for over a year—stealing data and mining cryptocurrency. Dozens of systems were affected. (Link to report).
Malicious NPM Package Exploits React Native Documentation Example
An attacker published a malicious NPM package that mirrors an example from React Native’s official documentation, in an attempt to trick developers following the official guide. This highlights the need for careful package verification even when following official guides. (Link to report).
Falling Stars
Two years after the discovery of StarJacking, an analysis of 21 package repositories reveals improved security measures against this threat—though the risk still persists in some repositories. (Link to report).
“aiocpa” Python Package Transforms From Legitimate Package to Crypto Thief
In November 2024, PyPI published an advisory about the aiocpa package, which was compromised when versions 0.1.13 and 0.1.14 introduced obfuscated malware designed to steal cryptocurrency credentials via Telegram. The attack was notable for its patience – the attacker maintained a legitimate package for months before adding malware, while keeping the GitHub repository clean. With thousands of downloads in its final month, aiocpa joins a growing trend where attackers establish legitimate packages before weaponizing them, in most cases to target cryptocurrency assets.
* * *
Our team will continue to hunt, squash attacks, and remove malicious packages in our effort to keep the open-source ecosystem safe.
I encourage you to stay up to date with the latest trends and tactics in software supply chain security by tuning into our future posts and learning how to defend against potential threats.
Stay tuned…
Checkmarx Supply Chain Security,
Working to Keep the Open Source Ecosystem Safe