I-Axios bajo fuego: así se gestó el ataque a la cadena de suministro en npm

Ikhaya » Python » I-Axios bajo fuego: así se gestó el ataque a la cadena de suministro en npm

Kwaphela amahora ambalwa exakekile, enye yezincwadi zeJavaScript ezisetshenziswa kakhulu emhlabeni, Axios, yaba yindlela yokulethwa engalindelekile ye-malware. I-target target ukuhlaselwa kweketanga lokuhlinzeka ngempahla kuhlelo lwe-npm ecosystem isibuyekezo sokuthembela esivamile saba yindlela engaba khona yabahlaseli bemishini yonjiniyela engamakhulu ezinkulungwane kanye nezinhlelo zokwakha.

Abaphenyi abavela ezinkampanini eziningana zokuphepha kanye ne-Treat Intelligence Group ye-Google bahlanganise indlela umlingisi ononya ashaye ngayo i- i-trojan yokufinyelela kude (RAT) ekukhishweni kwe-Axios okuthile ngo-npm, okufana ne- i-npm supply chain worm.

Iyini i-Axios nokuthi kungani ukuvumelana kubaluleke kangaka

Enhliziyweni yayo, i-Axios iyi- iklayenti le-HTTP elisekelwe esithembisweni se-Node.js neziphequluli. Ihlala ngemuva kwezigcawu kumaphrojekthi amaningi, iphatha imisebenzi yansuku zonke efana nokuthi “ukulanda imiyalezo yami kusuka kuseva” noma “ukuthumela leli fomu ku-API” ngaphandle kokuthi abathuthukisi babhale ikhodi yokuxhumana esezingeni eliphansi ngesandla.

Ngenxa yokuthi isebenza kokubili kusiphequluli nakumaseva e-Node.js, i-Axios isibe yi- ukuthembela okuyisisekelo ezinqwabeni zesimanje zeJavaScriptKungenzeka ukuthi awukaze uyifake ngokucacile, kodwa usathembele kuyo ngokungaqondile uma:

• Sebenzisa izinhlelo zokusebenza zewebhu ezakhiwe ngezinhlaka ezifana ne-React, Vue noma i-Angular ezihlanganisa izingcingo zazo ze-API nge-Axios.
• Sebenzisa izinhlelo zokusebenza zedeskithophu noma zeselula ezakhiwe ngobuchwepheshe obufana ne-Electron, i-React Native kanye nezikhathi zokusebenza ezifanayo ezisekelwe kuwebhu.
• Xhumana namathuluzi amancane e-SaaS, amadeshibhodi okuphatha noma izinsizakalo ezizisingatha zona onjiniyela bazo abakhethe i-Axios ngezicelo ze-HTTP.

Ngaleyo ndlela, i-Axios ifana kancane ne- amapayipi endlini yakho: awucabangi kangako ngakho, kodwa kuthwala "amanzi" edatha phakathi kohlelo lwakho lokusebenza nomhlaba wangaphandle. Ukubona ngempela kuphela uma kukhona ukuvuza—okuyikho kanye okudalwe yilokhu kuhlasela, kodwa ngokwesilinganiso se-software ecosystem.

Indlela ukuhlasela kwe-Axios npm okwenzeka ngayo

Lesi sigameko sigxile ekukhishweni okubili kwe-npm: axios@1.14.1 futhi axios@0.30.4Besebenzisa iziqinisekiso ezisengozini zomunye wabanakekeli abayinhloko bephrojekthi, abahlaseli bakwazile ukushicilela i-malicious yakha ngqo ku-npm ngenkathi ishiya ikhodi yomthombo yomphakathi ye-GitHub ingathintekile, iphethini nayo ichazwe ku Ukuhlaziywa kwe-Shai-Hulud.

Esikhundleni sokushintsha ikhodi ye-Axios ngokusobala, umhlaseli wengeze ukuthembela okusha, okubonakala kungahlobene: i-plain-crypto-js@4.2.1Leli phakethe lenzelwe ngqo ukusebenza kanye ayingeniswanga ndawo kumafayela omthombo we-Axios, ifulegi elibomvu kunoma ubani ohlola umehluko—kodwa kulula ukuwuphuthelwa emisebenzini ezenzakalelayo ethemba nje irejista.

Ndawonye, ​​izinhlobo ezimbili ze-axios ezingcolile zazinethonya elikhulu, elifinyelela ku- cishe ukulanda okungu-100 million masonto onke ku-npmI-Axios kulinganiselwa ukuthi ikhona cishe ezindaweni ezingamafu ezingama-80% kanye namapayipi e-CI/CD, ngakho-ke ngisho nefasitela elifushane lokuvezwa lalimelela ingozi enkulu yesistimu.

Okubaluleke kakhulu, izinguqulo ezithintekile azizange zivele ku- amathegi asemthethweni e-GitHub yephrojekthi ye-Axios. Leyo mininingwane isikisela ngokuqinile ukuthi izinqubo zokukhulula ezijwayelekile zadlulwa: umhlaseli wasebenzisa ithokheni ye-npm eyebiwe ukuze asunduze amaphakheji ngqo kurejista, ngaphandle kwebhendi emlandweni womthombo womphakathi.

Indlela yokusebenza kokuthembela okunonya kanye ne-RAT

Inhliziyo yokuvumelana itholakala kulokho okwenzekile ngesikhathi sokufakwa. Noma yimuphi umsebenzi osebenzayo npm install futhi wadonsela ngaphakathi axios@1.14.1, axios@0.30.4 or i-plain-crypto-js@4.2.1 uma izikripthi zivuliwe, kubangele inqubo efihliwe yokufakwa ngemuva kokufakwa.

Ngaphakathi kokuthembela okunonya, iskripthi se-postinstall (i-node setup.js) kwenziwa ngokuzenzakalelayo. Leso sikripthi silande i-dropper engabonakali, eyabe isilanda umthwalo we-RAT othize wepulatifomu owenzelwe i-macOS, i-Windows noma i-LinuxI-RAT inikeze umhlaseli ukufinyelela okukude okusebenzisanayo emshinini osengozini.

Uma isisebenza, le trojan yokufinyelela kude ingakwazi ukubala uhlelo, iqoqe izimfihlo futhi isebenzise imiyalo engahleliwe. okhiye be-API yamafu, amathokheni okuthunyelwa kwe-CI, amathokheni e-npm auth, okhiye be-SSH, amathokheni okufinyelela endaweni yokugcina kanye nezinye izinto eziguquguqukayo zemvelo ezibucayi ngokuvamile kufakwe kuma-ejenti okwakha noma kuma-laptop onjiniyela.

Ukusuka lapho, abahlaseli bangase bashintshe: ukuhlola ikhodi yomthombo, ukuguqula ukukhishwa kwesikhathi esizayo, ukwengeza ezinye izicabha zangemuva noma ukuthuthela engxenyeni yokukhiqiza engezansi. Kwabathuthukisi abasebenza kumaphrojekthi ahlobene ne-crypto—ama-wallet, ukushintshana, ama-frontend e-DeFi—lolu hlobo lokufinyelela lungahunyushwa ngqo ku- ukwebiwa kwemali yedijithali noma ukukhwabanisa okubanzi kwezezimali.

Amaqhinga ayimfihlo: kungani ukuyekethisa kwakunzima ukukubona

Ababhali be-malware benze konke okusemandleni abo ukuze bagcine umkhondo wabo uncane futhi ungewona owesikhashana ngangokunokwenzeka. Ngokusho kwabacwaningi, i-dropper ihlanze imizila yayo ngokushesha ngemva kokubulawa.

Lokho kusho ukuthi uma uhlole node_modules/plain-crypto-js/package.json ngemuva ukutheleleka, ubungabona i-manifest engenangozi nhlobo: akukho iskripthi sokufaka ngemuva, cha setup.js, azikho izinkomba ezicacile zokudlala kabi. Amathuluzi ajwayelekile afana nalawa npm audit noma ukuhlolwa kwesiqondisi ngesandla okufushane ngeke kwembule ukuthi yini eseyenzekile kakade.

Empeleni, lokhu kuziphatha kushiye abaphenyi bethembele ezintweni zangaphandle izinkomba zokuvumelana (ama-IOC), i-telemetry yenethiwekhi kanye nezinto zokwenziwa ezisingathwayo esikhundleni sokuskena okulula okungaguquki kokuqukethwe kwephakheji ye-npm. Ngesikhathi ukuhlaselwa sekuyiwo umphakathi, izinguqulo ezinonya zase zisusiwe ku-npm, okwenza kube nzima nakakhulu ukwakhiwa kabusha kokugeleza kokusebenza okuqondile.

Izinkomba ezibalulekile zokuyekethisa ngesigameko se-Axios

Ngisho noma i-malware izama ukufihla umkhondo wayo, amaqembu ezokuphepha abelane ngama-IOC aqondile angasiza ekunqumeni ukuthi indawo ethile ithintekile yini. Phakathi kwezibaluleke kakhulu yilezi ezilandelayo:

Use uhlangothi lwenethiwekhi, funa ukuxhumana no:

• Isizinda: sfrclakcom
• Ikheli le-IP: 142.11.206.73

Zombili izinkomba zivinjelwe abathengisi bezokuphepha abavamile, kodwa zisalokhu ziwusizo kuma-log omlando kanye nokusesha kwe-SIEM.

Use uhlelo lwamafayela, abaphenyi baqokomise izinto zobuciko ezihlobene ne-RAT:

• i-macOS: /Library/Caches/com.apple.act.mond
• I-Linux: /tmp/ld.py
• I-Windows: amafayela ngaphansi %PROGRAMDATA%\wt kanye nezikripthi zesikhashana ezifana nokuthi %TEMP%\6202033.vbs or .ps1 lokho kungaba khona isikhashana nje ngesikhathi sokubulawa

Ngokuphathelene namaphakheji e-npm, i izakhiwo ezisengozini kanye nama-checksum azo aziwayo yilezi:

• axios@1.14.1, SHA-256: 2553649f2322049666871cea80a5d0d6adc700ca
• axios@0.30.4, SHA-256: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
• i-plain-crypto-js@4.2.1, SHA-256: 07d889e2dadce6f3910dcbc253317d28ca61c766

Izinkampani zokuphepha ezifana neHuntress ziphawulile okungenani Izinhlelo ezingu-135 ezixhumana neseva yomyalo nokulawula yomhlaseli ngesikhathi esifushane sokuvezwa, futhi abacwaningi bakwa-Google baxwayisa ngokuthi “amakhulu ezinkulungwane” ezimfihlo kungenzeka ukuthi ekugcineni zaphucwa ngenxa yalokho.

Ubani owayebangela ukuhlaselwa? I-Attribution kanye nesixhumanisi seNorth Korea

I-Treat Intelligence Group kaGoogle ixhumanise obala isivumelwano se-Axios ne- umlingisi osolwayo osongelayo waseNyakatho Korea kulandelwa njenge-UNC1069. UJohn Hultquist, umhlaziyi oyinhloko eyunithi yokusongela ye-Google, uphawule ukuthi abaqhubi baseNyakatho Korea banomlando omude wokusebenza ukuhlaselwa kwe-supply chain okuhloswe ukweba imali yedijithali nezinye izimpahla.

Ngokusho kwe-Google kanye nabanye abathengisi bezokuphepha, isigameko se-Axios sibonakala siyingxenye yomkhankaso obanzi wamaqembu aseNyakatho Korea, okuhlanganisa nezingubo ezifana noLazarus, agxile kuzo ukuphanga, ukweba ngezimali kanye nokukhishwa kwedatha kugxilwe emikhakheni efana ne-crypto, i-fintech kanye nengqalasizinda yamafu.

Nakuba umthelela ogcwele ungakacaci, ukuhlanganiswa kwephakheji ethandwa kakhulu, ukufinyelela ezindaweni zonjiniyela kanye nohlobo lwedatha eyebiwe kuholela abahlaziyi ukuthi balindele ukuhlaselwa okulandelayo ngesimo sokuthengiselana okwengeziwe ngochungechunge lokuhlinzeka, i-ransomware kanye nokwebiwa kwe-crypto ngqo.

Indlela i-akhawunti yomnakekeli kanye nomsebenzi we-npm osetshenziswe kabi ngayo

Esinye sezici eziphazamisa kakhulu umphakathi wemithombo evulekile ukuthi abahlaseli bakwazile kanjani ukushicilela izinguqulo ze-Axios ezinonya ngaphandle kokuthinta isisekelo sekhodi yomphakathi. Isihluthulelo kwakuyi- i-akhawunti yomgcini esengozini ku-npm, okukholakala ukuthi kungowomnakekeli oyinhloko we-Axios owaziwa ngokuthi i-jasonsaayman.

Kubikwa ukuthi abahlaseli bashintshe ikheli le-imeyili elihlobene naleyo akhawunti ye-npm laba ikheli elingaphansi kolawulo lwabo. Ngaleso sinyathelo, bangakwazi khiya ngaphandle umgcini osemthethweni bese ucindezela izinguqulo ezintsha zephakheji njengokungathi ziyizibuyekezo zangempela, konke lokhu kuyilapho indawo yokugcina esemthethweni ye-GitHub ihlala ihlanzekile.

Lo msebenzi uphinde wakhanyisa inkinga yesakhiwo ku-npm: ukwesekwa kwe- amathokheni okuqinisekisa ifa, kanye nesidingo sokuba amathuluzi okuphatha uchungechunge lokuhlinzeka kanye nezinqubomgomo eziqinile zamathokheni.

Kulokhu, abacwaningi bezokuphepha baveze ukuthi i-npm isasebenza kubekwe ngokuzenzakalelayo kuthokheni yefa yokushicilela, futhi akukho ukulawula okwasusa ngokuzenzakalelayo lelo thokheni uma izindlela zokushicilela zesimanje sezilungisiwe. Lokho kuhlala ndawonye kwadala umnyango oseceleni osengozini i-UNC1069 eyayingawusebenzisa.

Iwindi lokudalulwa kanye nokutholwa kusenesikhathi

Ukuvumelana kwe-Axios kwakungeyona into ende, eqhubekayo kancane. Uphenyo lusikisela ukuthi izinhlobo ezinonya zazingekho. itholakala ku-npm cishe amahora amathathu phakathi kweSonto ebusuku kakhulu kanye namahora okuqala ngoMsombuluko noma ngoLwesibili, kuye ngendawo yesikhathi.

I-StepSecurity kanye nezinye izinkampani ziphawule ukuthi umhlaseli wayefake isitshalo endaweni ezungezile nge- inguqulo ehlanzekile yokuxhomekeka okunonya cishe emahoreni ayi-18 ngaphambili ukunamathisela uhlobo olunezikhali ku-Axios. Kubonakala sengathi leso sinyathelo senzelwe ukwakha umlando ongemuhle wephakheji futhi sigweme ukukhubeka kuma-detector e-automatic anomaly lapho kuvela ukuncika ngokuzumayo.

Lapho ukukhishwa kwe-Axios ethelelekile sekuqalile ukusebenza, i-trojan yenze ukuhlola okubanzi ohlelweni ngalunye lapho yayisebenza khona: ukuskena izincwajana, ukufaka kuhlu izinqubo ezisebenzayo, ukubala amadiski bese ngithumela lolo lwazi emuva kuseva yomhlaseli. Konke lokhu kwenzeke ngemuva kwezigcawu ngesikhathi, kubathuthukisi, okwakubonakala njengokufakwa kokuxhomekeka okuvamile.

Ngenxa yempendulo ehlelekile evela ku-maintainer, i-npm kanye nabathengisi bezokuphepha abaningi, izinguqulo ezinonya zasuswa emahoreni ambalwa. Kodwa-ke, njengoba abacwaningi abaningana kanye nethimba le-Google uqobo begcizelele, ifasitela elifushane lokuchayeka alifani nengozi ephansi lapho umgomo kuyilabhulali enezigidi ezingamashumi zokulandwa kwamasonto onke.

Umthelela kubathuthukisi, amaphrojekthi e-crypto kanye nabasebenzisi bokugcina

Ngokombono ongokoqobo, izisulu eziqondile kakhulu zesigameko se-Axios yizo abathuthukisi kanye nezindawo zokwakha owafaka izinguqulo ezinonya. Noma ubani osebenzise ukufakwa noma ukwakha okudonse ku-axios@1.14.1, axios@0.30.4 noma i-plain-crypto-js@4.2.1 enezikripthi ezivuliwe kumele acabange ukuthi uhlelo lungase lube sengozini ngokuphelele.

Kumaphrojekthi asendaweni ye-cryptocurrency—ama-wallet, ukushintshaniswa okuphakathi kanye nokungaguquki, amadeshibhodi e-DeFi, ama-robot okuhweba kanye nama-frontend e-Web3—izingqinamba ziphezulu kakhulu. Eziningi zalezi zinhlelo kuncike ku-Axios ukuze ukhulume namasango e-blockchain, ama-API kanye nezinsizakalo ze-backend, futhi bavame ukuphatha izimfihlo ezibucayi njengezihluthulelo eziyimfihlo, iziqinisekiso ze-API kanye nedatha yomsebenzisi.

Uma i-workstation yonjiniyela noma i-ejenti ye-CI kuphrojekthi enjalo ithelelekile, abahlaseli bebengazuzanga nje kuphela izimfihlo ezigcinwe endaweni kodwa futhi ukufinyelela ezindaweni zokugcina kanye namapayipi okuhambisaNgalokho, bangase bafake ikhodi enonya ekukhishweni kwesikhathi esizayo, babeke abasebenzisi engozini ngokungaqondile noma bashintshe imali.

Ngokuphambene nalokho, abasebenzisi abasebenzisa izinhlelo zokusebenza eziqediwe kusiphequluli sabo basesimweni esingcono: i-RAT yalethwa ngesikhathi izinyathelo zokufaka nokwakha, hhayi ngesikhathi sokusebenza kusiphequluli. Ngakho-ke ukuvakashela isayithi elisebenzisa i-Axios kumakholi aseceleni kwamakhasimende, akukuqali lokho kuhlaselo. Ingozi igxila kulabo abafake amaphakheji e-npm athintekile.

Izinyathelo ezisheshayo okufanele zithathwe onjiniyela

Amaqembu ezokuphepha kanye nabanakekeli bebecacile: uma kungenzeka ukuthi izinhlelo zakho zidonswe ekukhishweni kwe-Axios noma i-plain-crypto-js esengozini, phatha labo babungazi njenge akuthenjwa ngokuphelele kuze kube yilapho kuphenywaLokho kusho okungaphezu nje kokushintsha inombolo yenguqulo.

Izenzo eziqondile ezinconywe abacwaningi nabathengisi zifaka:

• Hlola ukuncika kwakho kanye namafayela okukhiya: Cinga axios@1.14.1, axios@0.30.4 futhi plain-crypto-js@4.2.1 in package-lock.json, pnpm-lock.yaml, yarn.lock kanye namalogi e-CI; bheka indlela yokuzilungisa ngokuphephile.
• Thuthukela ezinguqulweni eziphephile eziqinisekisiwe: Yiya ekukhishweni kwe-Axios okuhlanzekile (isibonelo, amathegi alandelayo aqanjwe ngabanakekeli) futhi uqinisekise ukuthi amafayela akho okukhiya aphinde avuselelwa.
• Zungezisa iziqinisekiso ngobudlova: Ake sithi noma yisiphi isipho esiyimfihlo emishinini noma kumapayipi athintekile—izinkinobho ze-API yamafu, amathokheni e-npm, izinkinobho ze-SSH, izinkinobho zokuhambisa, iziguquguquki ze-.env—kungenzeka ukuthi zebiwe bese uzizungezisa.
• Yakha kabusha izinhlelo ezisengozini: Lapho kungenzeka khona, faka kabusha ama-ejenti okwakha, ama-CI runners kanye nezindawo zokusebenza zonjiniyela kusuka ezithombeni ezithembekile kunokuzama ukuzihlanza endaweni yazo.
• Ingqalasizinda yeBhloko C2: Engeza sfrclak.com futhi 142.11.206.73 kuma-firewall, uhlu lokuvimba lwe-DNS kanye nemithetho ye-EDR.
• Ukufuna izinto zobuciko: Hlola izindlela zesistimu yamafayela namafayela esikhashana ahlobene ne-RAT kuma-host e-macOS, Windows kanye ne-Linux.

Izinkampani eziningana zokuphepha ziye zeluleka izinhlangano ezifake izinhlobo ezingcolile ukuthi cabanga ukuthi ukuhlehla ngokuzenzakalelayoNgamanye amazwi, qhubeka ngokucabangela ukuthi abahlaseli babenokufinyelela, futhi usebenze ngokuhlelekile ngezinyathelo zokuphendula ezigamekweni kunokuba uthembe ukuthi i-malware ayenzi lutho.

Izifundo ezibanzi zokuphepha kwe-software supply-chain

Ngale kokuhlolwa okusheshayo, isigameko se-Axios sivuselele impikiswano mayelana nendlela uhlelo olubanzi lwe-ecosystem oluphatha ngayo ukwethembana, ubunikazi kanye nokusatshalaliswa emthonjeni ovulekile. Sibonisa indlela i- i-akhawunti yomgcini welabhulali eyodwa kungaba yisisekelo sokuma kwezokuphepha kwezinhlangano eziningi.

Kuvele izihloko eziningana ekuhlolweni kwangemva kokufa kanye nokuhlaziywa kwabathengisi:

• Amathokheni efa ayisibopho: Amathokheni amadala e-npm angaqhubeka buthule kanye nemisebenzi emisha esekelwe ku-OIDC. Amaphrojekthi adinga izinqubomgomo ezicacile zokuwasusa uma sekukhona izindlela eziphephile.
• Izibuyekezo ezizenzakalelayo zinqamula zombili izindlela: Ukuphazamiseka kokuthembela okuzenzakalelayo kusheshisa intuthuko kodwa futhi kusho ukuthi ukukhishwa okunonya kungasakazeka ezindaweni zemvelo ngaphambi kokuba noma ubani aqaphele.
• Ukuskena ukuthembela kuyadingeka kodwa akwanele: Ukuhlolwa okuqinile kanye npm audit ziwusizo, kodwa ziyalwa nobunzima ukuziphatha kwesikhashana njengokuzisusa ngokwakho izikripthi ngemuva kokufaka.
• Ukuphepha kwabanakekeli kuyingqalasizinda ebalulekile: I-MFA eqinile, okhiye bokuphepha kwehadiwe, ukuphathwa ngokucophelela kwamathokheni okufinyelela kanye nokubuyekezwa njalo kokuthi obani abangashicilela manje kubalulekile njengokubhala ikhodi enhle.

Kwabasunguli, ama-CTO kanye nabaholi bobunjiniyela, isivumelwano se-Axios siyisikhumbuzo sokuthi ingozi yochungechunge lokuhlinzekwa kwempahla iyinkinga ebaluleke kakhulu, hhayi nje eyobuchwepheshe. Kuthinta ukuthi ungathumela ngokushesha kangakanani, ukuthi uklama kanjani amapayipi akho e-CI/CD, nokuthi ulinganisela kanjani ukusebenziseka kalula komthombo ovulekile nesidingo sokuqinisekisa lokho okusebenzisayo ekukhiqizeni.

Uma sibheka konke, ukuvumelana kwe-Axios ku-npm kukhombisa ukuthi ukuhlasela okuhlala isikhathi esifushane kodwa okuhleliwe kahle kungaguqula kanjani isakhiwo esithembekile se-ecosystem yeJavaScript sibe yindlela eyimfihlo ye-malware yokufinyelela kude. Njengoba abahlaseli behlose abanakekeli kanye neziteshi zokusabalalisa kanye nabasebenzisi bokugcina, ukugcina izintambo zokuhlinzeka ngesofthiwe ziphilile manje kuncike ekulawuleni okuqinile okuzungeze imisebenzi yokushicilela, ukuqapha okunolaka kokuphazamiseka kanye nokuzimisela ukuphatha ukuncika ngokungabaza okufanayo okwake kwagcinelwa ithrafikhi yenethiwekhi yangaphandle kuphela.

I-athikili ehlobene:

Umhlahlandlela ojulile wokuhlolwa kokuphepha kwe-npm nokuhlaselwa kwe-supply chain