Report source: OSCS Open Source Security Community
Update date: 2022-07-04
Brief description of the event
NPM is a Node.js package management tool that provides functions such as searching, downloading, installing, and uninstalling third-party Node.js packages.
On July 4, 2022, OSCS monitored and found that btwiuse has uploaded btwiuse and k0s malicious component packages to the official NPM warehouse. After using the malicious component package, a remote control Trojan named k0s will be loaded on the user's computer, which is relatively harmful 严重. OSCS reminds the majority of developers watchers.
Detailed analysis
Taking the k0s component as an example, its directory structure is as follows:
index.js
package.json
After the component is introduced, the remote control Trojan program will be executed, and the dangerous code exists in the package.json and index.js files.
The malicious code is as follows:
After code traceability, it can be found that the remote control service of the following address will be installed
https://github.com/btwiuse/k0s.git/
Its remote control server address is as follows
https://k0s.io/
The OSCS open source security community recommends that users do asset self-inspection and prevention work to avoid being attacked by hackers.
Disposal advice
The OSCS open source security community recommends users to troubleshoot in the following ways:
1. Use the npm ls or npm ls -g command to check whether malicious components are installed
2. Check whether the project package.json references malicious components
For details, please refer to:
https://www.oscs1024.com/hd/MPS-2022-41934/
timeline
On July 1, the attacker uploaded the malicious package of k0s
On July 3, the attacker uploaded the malicious package of btwiuse
On July 4th, OSCS detected this malicious NPM package poisoning behavior, and the existing server was controlled by the attacker