fsevents supply chain attack

Type

Incident

Actors

Pub. date

April 27, 2023

Initial access

Dangling resource

Impact

Supply chain attack

Observed techniques

Dangling DNS takeover

Targeted technologies

npm

References

https://github.com/advisories/GHSA-xv2f-5jw4-v95mhttps://find.secure.software/npm/packages/fsevents/1.2.10https://nvd.nist.gov/vuln/detail/CVE-2023-45311https://security.snyk.io/vuln/SNYK-JS-FSEVENTS-5487987https://github.com/fsevents/fsevents/issues/357

Status

Finalized

Last edited

Jun 2, 2024 8:02 AM

The fsevents npm package previously pulled certain remote binaries from a public S3 bucket (fsevents-binaries.s3-us-west-2.amazonaws.com). At some point the bucket expired and the domain became dangling, and in April 2023 it was hijacked by an unknown actor (reportedly a security researcher), who replaced the binaries with information stealer malware as a proof of concept.

The bucket has since been reclaimed by AWS, and as of version 1.2.11, fsevents no longer downloads binaries from the bucket at all. Therefore, existing installations of this package (prior to April 2023) may remain impacted and their hosts might be infected by the malware binaries, but new installations (regardless of version) do not contain any malicious binaries.