In the latter days of April, a researcher identified, obstructed, and reported two packages that they classified as malicious versions of original AWS packages. This package backfill discovery showed a new takeover method that targets AWS, where hackers scan AWS projects for dependencies that are not assessed in the public npmjs registry and use their names to upload those that are not registered and attached with compromised content.
AWS is one of the most prominent cloud infrastructure providers globally. It is also a primary contributor to the open-source community.
A year ago, Amazon Web Services referenced the package as an open-source package. AWS also published another exploitable package at the start of the year and officially authored the two packages before a legitimate author deleted them.
Once the author deleted the package, its names became available in the open-source landscape. The packages will then be populated with malicious code uploaded using any name; thus, the package backfill campaign begins.
The first package contained a “package[.]json” file with no signs of malicious content. This package was uploaded as a trial run of the threat actor to know if it can be able to utilise a name previously donned by AWS. This detail might explain why the name is not a common amazon-based name.
The more interesting package is @aws-cdk-example-dynamic-web-config/shared, which utilises the AWS name effortlessly, and contains malicious code that gathers user data such as env variables, hostname, and OS.
In addition, other information regarding the infected devices was collected by the researcher, such as MAC address, CPU architecture, netmask, amount of free memory, total memory available, network interfaces that contain IP addresses, and more sensitive information.
Experts believe that the most potent strategy to prevent such AWS name takeover in the package backfill campaign is to utilise a checksum-based lockfile. Users must also ignore them since their appearances are apparent errors.
