NodeJS application repository phishing

NodeJS application repository phishing
Preface

The castle is always broken from the inside. A powerful system can also be controlled. If the intrusion is initiated directly from the human link, then the strong line of defense will also become a decoration.

The following is an example. If the application repository is used to penetrate the developer's system.

Application Repository

The application repository is no longer familiar to developers. Apt-get, brew, yum, npm... is nothing more than a command line version of the App Store, easy to install a variety of tools and dependent libraries.

They work in almost the same way. Today we will explain the Security Test of the NodeJS application repository NPM.

NPM Platform

If NodeJS can only run on a single machine, it is similar to WScript. Fortunately, the emergence of the NPM platform allowed the whole community to interact.

Developers can install required libraries through NPM, and users can also install projects through it. In just a few years, tens of thousands of NodeJS projects were released to NPM, with tens of millions of downloads each day. Is there a security risk for such a large user group?

Warehouse tampering

The easiest thing to think of is that the NPM account is stolen. Once the password is leaked, attackers can release a new version of the project. Once updated, normal users install malicious scripts.

However, it is easy to obtain the platform account. Projects with high activity are tampered with and will soon be discovered.

Warehouse phishing

It is definitely not reliable to change people's things, so you can only use your own. However, projects created by myself are not very popular, so we have to try to lure some users.

Attackers can obtain a name similar to that of an active project. For example, the popular uglify-js, you can copy a ghost named uglifyjs. Once a user misspelled a word, a fake project is installed.

To prevent users from discovering, you can directly clone the original project so that users can use it exactly the same as normal versions, making it difficult to find any flaws. Then, you have some hands and feet in some hidden modules. Once the user runs the script, the demon will be released!

Intrusion during installation

If the user finds that the project has been installed incorrectly and is uninstalled before running, will it be unable to intrude into the project?

In fact, NPM provides extremely powerful functions and can even execute additional commands during installation.

In the scripts field, you can define command extensions for each stage.

For example, postinstall can be executed after the repository package is installed.

In this way, the system may be intruded as long as the user shakes his hand when he clicks npm install xxx.

It sounds a bit strange. However, it has been tested that there are dozens to hundreds of installations per day in an active project in the shanzhai market (by mistake ~). Although the number is small, it is not a fraction of the original version, but it is a potential high-quality user.

Most of them are developers. Once the system is controlled, it can penetrate into the enterprise intranet.

Persistent intrusion

Once a developer's system is controlled, the consequences are far more serious than imagined. In addition to information leakage, there will be even more terrible events.

Taking uglify-js as an example, if a developer installs a phishing version, what will happen?

It is a compression tool similar to the compiler. Convert the tested source code into unreadable black box programs-this is probably the last step before the launch. If this stage is manipulated by hackers, even if the source code has passed the review, it's hard to escape.

Maybe, the phishing tool inserts a hidden XSS In the compressed script, which is hard to find without careful viewing. Once the script is released, thousands of online users will suffer.

The attacker takes the bastion host directly from the very source without a single attack.

Of course, not only can the Web be infected, but other clients are more likely. Some open-source libraries or header file code that are rarely concerned may be the hiding place of malicious code.

Phishing promotion

After all, users with incorrect hands are limited. In order to increase the infection volume, it is not ruled out that attackers will actively promote their own phishing programs.

Of course, this kind of promotion will not be too obvious, or even completely unable to feel the intention.

Attackers can repost some popular articles and replace the demo address with their own phishing project. As a result, the audience who came to the audience were quietly controlled without any precaution.

Or, more directly, promote your projects in forums or social circles, and add some bright and blind texts and cool pictures. As a result, some curious people are right away from attackers.

Summary

In addition to NPM, other application platforms that do not require review may be prone to phishing project risks.

Therefore, you must be extremely careful when installing projects. If you forget the project name, you must verify it before installing it.

At the same time, you must be cautious when trying projects with unknown routes. After all, installing a project has the same meaning as directly opening an application.