Type
Research
Actors
Pub. date
December 6, 2023
Initial access
End-user compromise
Impact
Resp. disclosure
Observed techniques
Package hijacking
References
https://blog.phylum.io/encrypted-npm-packages-found-targeting-major-financial-institution/
Status
Stub
Last edited
Jun 2, 2024 8:02 AM
The attack began rather simply: A developer workstation was compromised. This developer had the required access not only to access the internal Artifactory instance but also to push updates to existing libraries. With access to critical engineering infrastructure, the red team identified a library used commonly across development groups at the company. They updated this library to depend on one of the external packages Phylum identified and pushed it back to Artifactory (with a small version bump to ensure builds would pull the latest version and not a cached copy). As internal development groups began updating their projects, this infected library was pulled and executed on many machines. The red team now sat back and watched as the infected library spread to several development groups across the company.