The timing of the Nx compromise coincides with one other vital npm provide chain discovery: JFrog introduced it had individually uncovered eight malicious packages revealed on npm, together with react-sxt, react-typex, and react-native-control, which contained “extremely subtle multi-layer obfuscation, with over 70 layers of hid code.”
“Open-source software program repositories have develop into one of many primary entry factors for attackers as a part of provide chain assaults, with rising waves utilizing typosquatting and masquerading, pretending to be professional,” mentioned a weblog publish by JFrog safety researcher Man Korolevski.
A number of assault vectors goal npm ecosystem
The JFrog-discovered packages focused Chrome customers on Home windows with information theft capabilities designed to extract “delicate Chrome browser information from all consumer profiles, together with passwords, bank card info, cookies, and cryptocurrency wallets.” These packages used quite a few evasion methods together with “shadow copy bypass, LSASS impersonation, a number of database entry strategies, and file-lock circumvention to keep away from detection,” in response to the JFrog publish.
