Developers and their systems have a unique spot on the software food chain. They are like the water and soil for the seeds of the software. If you poison either one of these, you can have a massive impact downstream. If you look at the details of the LastPass breach it started with a developer system getting owned via what I would consider misuse of a development system. This highlights some of the challenges with the way development systems are handled. When I was working with Cylance to implement Protect and Optics, I received a lot of pushback when extending protections to development systems. The developers claimed that they were not able to do their work with the EDR in place and the amount of work to get them to accept it and then configure it to work with many of the development tools out at the time (X-Code was one of the worst). So, these systems were left unprotected in one way or another (in some cases they did not even have URL filtering either). This is still the world that we live in today.

It is within this setting that we talk about the increase in the detection of malicious packages in places like NPM. Groups like Phylum have been discovering and assisting in the removal of malicious packages from NPM for a while, but the number of campaigns they are identifying and tracking is growing. A recent one that was identified by Checkmarx, is a continuation of one that is also being tracked by Phylum. This particular group has been pushing malicious packages into NPM since at least 2021. These packages are designed to steal information from the device they are installed on. They all utilize a postinstall hook this is set up in the package.json file. The hook calls a pair of Java Script files that pull metadata from the device and any source code they can find.

The campaign in question here appears to be aimed at crypto developers, but it does show how attackers can utilize packages to gather information about developers and any source code they might have access to. Grabbing source code pre-compilation has significant benefits to threat groups as they can take a deeper look into what makes the software tick and help in finding ways to get around gates and protections in the code. It can also allow an attacker to make counterfeit versions of applications with malware built in or find ways to inject malicious code into future projects via the developer system.

From an attacker perspective, gaining access to developer systems is a huge win for both strategic and tactical follow-on attacks. The effort is relatively minimal if the attack vector is via dependency packages and that cost is very well balanced by the potential payoff. The increase in reported campaigns targeting repositories like NPM should be a wake-up call that DevOps security needs a big refresh. It might be painful at first as the tools are tuned to protect development systems and not hinder the development process too much, but the outcome will be well worth it.