Type
Incident
Actors
Pub. date
April 27, 2023
Initial access
Dangling resource
Impact
Supply chain attack
Observed techniques
Dangling DNS takeover
Targeted technologies
npm
References
https://github.com/advisories/GHSA-xv2f-5jw4-v95mhttps://find.secure.software/npm/packages/fsevents/1.2.10https://nvd.nist.gov/vuln/detail/CVE-2023-45311https://security.snyk.io/vuln/SNYK-JS-FSEVENTS-5487987https://github.com/fsevents/fsevents/issues/357
Status
Finalized
Last edited
Jun 2, 2024 8:02 AM
The fsevents npm package previously pulled certain remote binaries from a public S3 bucket (fsevents-binaries.s3-us-west-2.amazonaws.com). At some point the bucket expired and the domain became dangling, and in April 2023 it was hijacked by an unknown actor (reportedly a security researcher), who replaced the binaries with information stealer malware as a proof of concept.
The bucket has since been reclaimed by AWS, and as of version 1.2.11, fsevents no longer downloads binaries from the bucket at all. Therefore, existing installations of this package (prior to April 2023) may remain impacted and their hosts might be infected by the malware binaries, but new installations (regardless of version) do not contain any malicious binaries.