Cybercriminals have found a way to inject their malicious code into npm packages without changing the source code. They used AWS S3 buckets that were abandoned by their owners and replaced the binaries needed for the packages to work.
The attack was discovered by Checkmarx specialists who studied the case of compromise of the "bignum" package. This package distributed a malicious binary that stole users' personal data and sent it to a captured S3 bucket.
Checkmarx has also found dozens of other npm packages that are affected by the same threat. This indicates the growing interest of cybercriminals in the software supply chain, which allows them to quickly reach a large number of potential victims.
AWS S3 buckets are cloud storages that can be used for website hosting or data backup. Buckets are available at unique URLs, but their owners may forget about the storage or stop using it. Then a cybercriminal can take over the bucket and change its contents.
The "bignum" package used the node-gyp tool to download a binary file from an S3 bucket. When the bucket became unavailable, the attacker hijacked it and placed their malicious binary there. And when users downloaded or reinstalled the bignum package, they also downloaded the attacker's file.
The malicious binary, written in C++, worked just like the original one, but also collected user credentials and sent them to a compromised S3 bucket.
This attack highlights the importance of keeping your S3 buckets safe and not leaving them unattended. It is also recommended to check the source of binaries that are downloaded from npm packages. npm users can use special tools like npm audit or snyk to find vulnerabilities in their dependencies.