惡意程式Miasma透過新型態手法Phantom Gyp發動攻擊
Posted in
業界新聞
新聞
另一家資安公司Wiz也對這種手法進行分析,先前駭客是將惡意程式碼注入package.json,而這次的手段是指令延伸,藉由名為binding.gyp的檔案,使得惡意套件在進行設定的過程裡,會在背景執行經過處理的混淆安裝程式。Wiz解釋,這種手法的原理是,只要套件套件根目錄存在binding.gyp,且package.json在沒有指定自訂安裝指令碼install或preinstall,NPM就會執行node-gyp rebuild,解析binding.gyp內容,並在主機的shell執行任意的命令表達式。
Shai-Hulud - Miasma: The Spreading Blight Hits Red Hat npm Packages - JFrog Security Research
JFrog Security Research analyzed 31 hijacked `@redhat-cloud-services` npm package versions carrying a new Shai-Hulud variant. The campaign, identified in the payload as "Miasma: The Spreading Blight", uses install-time execution, layered JavaScript obfuscation, Bun-based payload delivery, credential theft, GitHub and npm propagation, and destructive persistence.
research.jfrog.com
Comments (0)