A major supply chain attack has recently impacted the JavaScript ecosystem. Neither the RapidFort Platform nor the RapidFort Curated Near Zero CVE Images has been affected by this Qix NPM compromise. As a pro-active measure, to assist our customers and partners, who may have downloaded affected images from public sources (non-RapidFort Sources) RapidFort has made available a utility to help customers locate affected containers.
The NPM account of developer "Qix" — maintainer of widely used packages such as chalk, debug, strip-ansi, and color-convert — was compromised, leading to the publication of malware into specific patch versions.
With more than one billion weekly downloads across these packages.
What Happened
JD informs Joshua on Sept. 8th, who immediately discloses the breach to the public via various channels including GitHub and Hacker News. Josh contacts NPM maintainers to remove the malicious packages.
It appears that the period of exposure is about 3 days, but given the popularity of the packages, the blast radius is wide despite the quick discovery and removal of the infected packages.
Organizations should scan all their software workloads to ensure they are not unwittingly carrying updates that include the malware.
RapidFort's Analysis
In containerized environments, scanners may not detect the presence of these malicious packages, especially in third-party software when the UI assets are bundled into webpacks, which removes the package identification information.
In addition, in many cases, such assets may get bundled directly into programs such as Go executables.
The most reliable way to detect possible infection is by scanning the workloads' filesystems for the malware signature. The following script searches for the malware signature in all the files of a container image. It can be easily adapted to use podman instead of docker, and the signature pattern and the grep command can be used to scan any filesystem:
Shell
#!/bin/bash
has_malware()
{
local image="$1"
local tmpdir
local container_name
local ret
tmpdir="$(mktemp -d)"
container_name="container-name-$$"
docker create --name "${container_name}" "${image}" xxyyz
docker export "${container_name}" -o "${tmpdir}"/"${container_name}.tar"
mkdir -p "${tmpdir}"/exported
tar -xf "${tmpdir}"/"${container_name}.tar" -C "${tmpdir}"/exported/
cd "${tmpdir}"/exported/
echo "Searching for malware pattern ..."
if grep -rzl "6ynt.*0d8dtj552q.*Tumqs9jBcv.*CZKkU.*VuiPa.*D6F68C0710.*IOjJb.*LK2ds9JNq1" ./* ; then
echo ""
echo "Malware found in image $image in above files ^^^"
ret=0
else
ret=1
fi
docker rm -f "$container_name" >/dev/null 2>&1
rm -rf "$tmpdir"
return "$ret"
}
has_malware $1
What Does the Malware Do?
Nevertheless, it is highly recommended to perform a deep signature scan of your user-facing workloads as outlined above.
%20(1).png)
