Headline
Developers Beware: Malicious Rust Libraries Caught Transmitting OS Info to Telegram Channel
In yet another sign that developers continue to be targets of software supply chain attacks, a number of malicious packages have been discovered on the Rust programming language’s crate registry. The libraries, uploaded between August 14 and 16, 2023, were published by a user named “amaperf,” Phylum said in a report published last week. The names of the packages, now taken down, are as follows:
Supply Chain / Software Security
In yet another sign that developers continue to be targets of software supply chain attacks, a number of malicious packages have been discovered on the Rust programming language’s crate registry.
The libraries, uploaded between August 14 and 16, 2023, were published by a user named “amaperf,” Phylum said in a report published last week. The names of the packages, now taken down, are as follows: postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger.
It’s not clear what the end goal of the campaign was, but the suspicious modules were found to harbor functionalities to capture the operating system information (i.e., Windows, Linux, macOS, or Unknown) and transmit the data to a hard-coded Telegram channel via the messaging platform’s API.
This suggests that the campaign may have been in its early stages and that the threat actor may have been casting a wide net to compromise as many developer machines as possible to deliver rogue updates with improved data exfiltration capabilities.
“With access to SSH keys, production infrastructure, and company IP, developers are now an extremely valuable target,” the company said.
This is not the first time crates.io has emerged as a target of a supply chain attack. In May 2022, SentinelOne uncovered a campaign dubbed CrateDepression that leveraged typosquatting techniques to steal sensitive information and download arbitrary files.
The disclosure comes as Phylum also revealed an npm package called emails-helper that, once installed, sets up a callback mechanism to exfiltrate machine information to a remote server and launches encrypted binaries that are shipped with it as part of a sophisticated attack.
The module, which was advertised as a “JavaScript library to validate email address against different formats,” has been taken down by npm but not before it attracted 707 downloads since it was uploaded to the repository on August 24, 2023.
“Data exfiltration is attempted via HTTP, and if this fails, the attacker reverts to exfiltrating data via DNS,” the company said. “The binaries deploy penetration testing tools like dnscat2, mettle, and Cobalt Strike Beacon.”
“A simple action like running npm install can set off this elaborate attack chain, making it imperative for developers to exercise caution and due diligence as they carry out their software development activities.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.