Malicious npm Package “legacyreact-aws-s3-typescript” Backdoors AWS Users

A malicious npm package, “legacyreact-aws-s3-typescript,” mimicking a legitimate Amazon S3 tool, was found to contain a backdoor allowing remote attackers to execute commands and gain unauthorized access to systems. This backdoor, activated through a post-install script in version 1.2.4, was quickly removed from the npm registry, highlighting the risks of typosquatting and the need for caution when using third-party packages.

Detailed Vulnerability Information

• Package Name: legacyreact-aws-s3-typescript
• Malicious Activity Identified:
  • Dormant Period: The package remained dormant for four months before suspicious updates were published in May 2024.
  • Malicious Updates: The final version, 1.2.4, included a post-install script that downloaded and executed a malicious ELF file, establishing a backdoor to a remote server.
  • Malicious Server: The ELF file connected to the IP address 91[.]238[.]181[.]250 and executed commands through /bin/sh.

Technical Analysis

• ELF File Analysis: The backdoor opened a socket to the remote server, allowing attackers to execute commands remotely.
• Initial Clean Versions: Early versions (1.1.5, 1.1.6, and 1.1.7) published in February 2024 were clean.
• Malicious Versions: Versions 1.1.9, 1.2.1, and 1.2.2, published briefly in May, contained malicious code and were quickly removed.
• Final Malicious Version: Version 1.2.4, which contained the backdoor, was publicly accessible until detected by ReversingLabs.

Attack Methodology

• Typosquatting: The malicious package used typosquatting, adopting a name similar to the legitimate “react-aws-s3-typescript” package to deceive users.
• Content Duplication: The package copied content from the legitimate package to further the deception.

Impact

• Potential Victims: Users who installed the package could have their systems compromised, allowing attackers to:
  • Execute arbitrary commands.
  • Gain unauthorized access to sensitive data.
  • Establish persistent access through the backdoor.
• Risk to AWS Users: The malicious package specifically targeted users of Amazon S3, potentially compromising cloud storage and associated resources.

Mitigation and Recommendations

1. Immediate Removal:
   • Uninstall the “legacyreact-aws-s3-typescript” package from all systems.
2. Security Audits:
   • Conduct thorough security audits on systems where the package was installed.
   • Monitor for any unusual activity that could indicate compromise.
3. Network Monitoring:
   • Implement network monitoring to detect and block connections to the malicious IP address 91[.]238[.]181[.]250.
4. Enhanced Scrutiny:
   • Increase scrutiny when integrating open-source components into projects.
   • Regularly review and audit dependencies for any changes or updates that could introduce vulnerabilities.
5. Awareness and Training:
   • Educate development teams on the risks of typosquatting and the importance of verifying the legitimacy of packages.
6. Report and Share Information:
   • Report any suspicious packages to npm and share information about detected threats with the community.

The discovery of the malicious “legacyreact-aws-s3-typescript” package underscores the ongoing challenges in monitoring open-source threats. This incident highlights the importance of vigilance and proactive security measures when working with open-source components. By staying informed and adopting robust security practices, developers can mitigate the risks associated with malicious code in seemingly legitimate packages.

Stay Secure. Stay Informed.

OP Innovate Research Team.