Arkham Intelligence data shows that a massive hacking exploit targeting JavaScript code targeting JavaScript code was only able to steal $1,043 in cryptocurrency, using malware that raised the alarm earlier this week.
A cybersecurity researcher at WIZ published an analysis of “a wide range of” supply chain attacks yesterday, writing in a blog post that Bad Actors used social engineering to gain control of a Github account belonging to Qix (Josh Junon), the developer of JavaScript’s popular code packages.
Hackers have published some updates to these packages, added malicious code that activates the API and crypto wallet interface, and added scans for cryptocurrency transactions to rewrite recipient addresses and other transaction data.
Surprisingly, Wiz researchers conclude that 10% of cloud environments contain instances of malicious code, and 99% of all cloud environments use some of the responsible targeted packages, but not all of these cloud environments have downloaded infected updates.
Despite the potential scale of the exploit, Arkham’s latest data suggests that the threat actor’s wallet has received a relatively modest total of $1,043 so far.
This has grown very slowly over the past few days, mostly covering ERC-20 token transfers, with individual transactions being anything between $1.29 and $436.
The same exploit has also been extended beyond QIX’s NPM package, and yesterday an update from JFrog security revealed that the DuckDB SQL database management system has been compromised.
The update also suggests that the exploit “seems to be the biggest NPM compromise in history,” highlighting the incredible scale and scope of the attack.
Such software supply chain attacks have become more common, Wiz researchers said Decryption.
“Attackers realized that if they compromise a single package or dependency, they can reach thousands of environments at once,” they said. “That’s why we’ve seen these cases steadily rise, from type skirting to malicious package acquisitions.”
In fact, in the past few months, many similar incidents have been spotted, including inserting a malicious pull request into Ethereum’s Ethcode extension in July, earning over 6,000 downloads.
“The NPM ecosystem in particular is frequently targeted because of its popularity and the way developers rely on transitive dependencies,” Wiz Research said.
According to Wiz, the latest incidents strengthen the need to protect their development pipelines, urging organizations to maintain visibility across the entire software supply chain, while simultaneously monitoring the behavior of unusual packages.
This appears to be something many organizations and entities did in the case of QIX exploits, which was detected within two hours of publication.
Rapid detection was one of the main reasons why Exploit’s economic damage remained limited, but Wiz’s research suggests there were other factors.
“The payload is designed narrowly to target users with specific conditions and is likely to reduce its scope,” they said.
The developers are also more aware of such threats, and researchers at Wiz add that many people are offering protections to catch suspicious activity before causing serious damage.
“There’s always a chance that we’ll see shock delay reports, but it’s based on what we know today,” they said.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
