Raibhurari yeJavaScript, inoitirwa kuve raibhurari inoenderana ne Twilio yakabvumidza yekumashure kuti iiswe pamakomputa evagadziri Kubvumira vanorwisa kuti vawane nzvimbo dzekushanda dzakatapukirwa, yakaiswa kune npm open source registry neChishanu chapfuura.
Neraki iyo malware yekuona sevhisi Sonatype Regedza Kuvimbika yakakurumidza kuona iyo malware, mushanduro nhatu, uye ndokubvisa neMuvhuro.
Npm timu yekuchengetedza yakabvisa raibhurari yeJavaScript Muvhuro inonzi "twilio-npm" kubva pawebsite npm nekuti yaive nekodhi yakaipa iyo yaigona kuvhura kumashure pamakamuri evagadziri.
Mapakeji ane yakaipa kodhi ave musoro unodzokororwa mune yakavhurwa sosi JavaScript registry.
Raibhurari yeJavaScript (uye hunhu hwayo hwakaipa) yakawanikwa vhiki ino neSonatype, iyo inoongorora ruzhinji mapakeji echikamu sechikamu chekuchengetedza kwayo masevhisi eDevSecOps.
Mune chirevo chakaburitswa Muvhuro, Sonatype akati raibhurari yakatanga kuburitswa pa npm webhusaiti neChishanu, yakawanikwa musi iwoyo, ndokubviswa neMuvhuro mushure mekunge npm timu yekuchengetedza yaisa pasuru mu blacklist.
Kune akawanda akakodzera mapakeji mune npm registry inoenderana kana inomiririra yepamutemo Twilio sevhisi.
Asi sekureva kwaAx Sharma, injinjini yekuchengetedza Sonatype, twilio-npm haina chekuita nekambani yeTwilio. Twilio haabatanidzwe uye haina kana chekuita nekuyedza kwekuba brand. Twilio inotungamira yegore-yakavakirwa yekukurukurirana chikuva sevhisi iyo inobvumidza vanogadzira kuti vagadzire VoIP-based application iyo inogona kuronga kuronga uye kugamuchira mafoni uye mameseji mameseji.
Iyo yepamutemo pasuru ye Twilio npm kurodha pasi kanosvika hafu yemiriyoni pavhiki, zvinoenderana neinjiniya. Kuzivikanwa kwaro kukuru kunotsanangura kuti sei vatambi vekutyisidzira vangangoda kubata vabatiri vane chinhu chekunyepedzera chezita rimwe chete.
“Zvisinei, pasuru yaTwilio-npm haina kumira kwenguva yakareba zvekukwanisa kupusisa vanhu vazhinji. Yakaiswa neChishanu, Gumiguru 30, Sontatype's Release Integrity sevhisi sezviri pachena yakaratidza kodhi yacho sekufungidzira zuva rakazotevera - huchenjeri hwekunyepedzera uye kudzidza kwemuchina zvakajeka zvine mashandisiro. NeMuvhuro, Mbudzi 2, kambani yakaburitsa zvayakawana uye kodhi yakabviswa.
Kunyangwe paine hupenyu hupfupi hweiyo npm portal, raibhurari yakadzingwa pamusoro pe370 nguva uye yakave ichingozvisanganisira mumaprojekti eJavaScript akagadzirwa uye akagadziriswa kuburikidza npm command-line utility (Node Package Manager), sekureva kwaSharma. . Uye mazhinji ezvikumbiro zvekutanga angangodaro ari kuuya kubva kuinjini dzekuongorora nema proxies ayo anovavarira kuteedzera shanduko kune npm registry.
Counterfeit package imwe faira malware uye ine matatu mavhezheni aripo kurodha pasi (1.0.0, 1.0.1 uye 1.0.2). Shanduro dzese nhatu dzinoita kunge dzakaburitswa musi mumwe chete, Gumiguru 30 Shanduro 1.0.0 haina kuita zvakawanda, sekureva kwaSharma. Iyo inongosanganisira diki dhairekitori faira, package.json, iyo inoburitsa sosi iri mune ngrok subdomain.
ngrok ibasa repamutemo rinoshandiswa nevanogadzira kana vachiedza kunyorera, kunyanya kuvhura zvinongedzo kune avo "localhost" server application kuseri kweNAT kana firewall. Nekudaro, sekushandurwa 1.0.1 uye 1.0.2, iyo imwecheteyo inoratidza ine yayo yekumisikidza-script yakashandurwa kuti iite basa rakaipa, sekureva kwaSharma.
Izvi zvinobudirira kuvhura backdoor pamushini wemushandisi, ichipa anorwisa kutonga kwemuchina wakakanganiswa uye kure kodhi kuitisa (RCE) kugona. Sharma akataura kuti reverse shell inoshanda chete paUNIX-based operating system.
Vagadziri vanofanirwa kuchinja maID, zvakavanzika, uye makiyi
Iyo npm kuraira inoti avo vanogadzira vanogona kunge vakaisa pasuru yakaipa isati yabviswa vane njodzi.
"Chero komputa yakaiswa kana kushandira iyi pasuru inofanirwa kutariswa zvakakwana," timu yekuchengetedza npm yakati neMuvhuro, ichisimbisa kuferefetwa kwaSonatype.