Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Sarah Gooding
Philipp Burckhardt
March 30, 2024
XZ utils, a package for data compression software used in nearly every Linux distribution, was found to be backdoored and may allow unauthorized access to affected systems.
This set off a number of urgent security alerts from CISA, RedHat, Kali Linux, and others. The malicious code is included in versions 5.6.0 and 5.6.1 of the xz libraries, and was discovered by PostgreSQL developer and committer Andres Freund.
From the GitHub Advisory Database:
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository. These instructions, through a series of complex obfuscations, extract a prebuilt object file from one of the test archives, which is then used to modify specific functions in the code while building the liblzma package. This issue results in liblzma being used by additional software, like sshd, to provide functionality that will be interpreted by the modified functions.
To find out which version you have installed, open a terminal and run the following command:
$ xz --version
xz (XZ Utils) 5.4.6
liblzma 5.4.6
In case of running 5.6.0
or 5.6.1
, developers and users are strongly advised to downgrade XZ Utils to an uncompromised version such as XZ Utils 5.4.6 Stable. macOS users who have installed XZ Utils using Homebrew can downgrade to the latest non-malicious version by running the following command in their terminal:
brew upgrade xz
Linux users on Debian-based distributions such as Ubuntu can update XZ Utils via sudo apt-get update
followed by sudo apt-get install --only-upgrade xz-utils
.
Although this is technically an OS system-level dependency, it may also affect bundled application-level dependencies. It’s possible that npm, Python, Go, or other packages include the xz utils dependency bundled into a package, which could be another attack vector.
The easiest way to figure out who this affects is to determine what are the most popular xz dependencies are that exist in the ecosystem. The question to answer is whether the vulnerable version is bundled into this JavaScript library or is it merely linking to the library that’s already installed on the system.
As you can see in the example above, Socket has a "Native code" alert which indicates if a dependency contains naive code which could be a vector to obscure malicious code.
Below are some of the most popular packages that we have examined to make a determination about whether or not they are safe or affected. (We will keep updating this list as more information becomes available.)
Socket users can use the Dependency Search feature to search for these packages to determine if your organization is using them.
If you are a current Socket customer and you need more help finding out if you were affected, contact us and we will assist you.
If you’re not a Socket customer, you can install our free Socket for GitHub app in two clicks and follow these instructions to find out if your dependencies were affected.
5.6.1
was opened: https://github.com/jamespfennell/xz/pull/2 (safe because the PR was not merged)Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.