NPM Supply Attack: Malicious Tinycolor Steals Secrets Using TruffleHog

In a supply chain attack, the trending npm package, @ctrl/tinycolor, was in the target. Dastardly versions steal secrets through TruffleHog scanning.

The npm package ecosystem has been compromised by a massive supply chain attack with a target on the popular package of the ecosystem, which is the tinycolor package of the control group, and over forty more packages. 

These malicious versions contain a hidden script that silently robs sensitive developer secrets, and this has caused panic within the development community. 

The attack involves the use of TruffleHog, which is a legitimate secret scanning tool to search and exfiltrate tokens and cloud credentials within infected machines.

Malicious Versions Infect 40+ Packages, Raising Alarms

The altered versions of the @ctrl/tinycolor (4.1.1 and 4.1.2) include a function that downloads a package, alters its contents, loads a malicious script called bundle.js and repackages the package, and republishes it again. 

It affected over 40 packages in a variety of maintainers, including other packages scoped to include @ctrl as well as community modules.

The bundle.js file executes on package installation. It then downloads and runs TruffleHog, which searches the machine and repositories of the developer with sensitive tokens, such as GitHub personal access tokens, npm authentication tokens, and cloud service keys, such as AWS and GCP keys. 

On discovering these secrets, it steals them to a hard-coded external webhook address, revealing the personal credentials of the users without their awareness.

It is not a local machine campaign. It also overwrites malicious GitHub Actions workflows in infected repositories. 

Continuous integration settings can activate this workflow to relay stolen secrets over time to facilitate continuous data leaks.

Self-Spreading Malware Creates Cascading Compromise

The malware spreads automatically with the help of the NpmModule.updatePackage function that allows infecting other packages that are maintained by the same developers. 

Among the environment variables targeted by the attack are those of GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. 

It authenticates tokens in npm and GitHub API, then employs them to write the durable malicious workflows. 

Such measures keep the malware in place during subsequent CI executions and theft of secrets throughout the development pipelines.

Security professionals encourage developers to issue an emergency audit and delete any affected version of a package.