{ "name": "Malicious npm package targets AWS users", "slug": "malicious-npm-package-targets-aws-users", "description": "ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later version included a postinstall script that downloaded and executed a backdoor payload. The package's history demonstrates the challenges of monitoring open source repositories for threats, and RL introduced Spectra Assure Community to help developers assess package risks.", "published": "2024-06-27T05:58:55+00:00", "created_at": "2024-06-27T05:58:55+00:00", "modified_at": "2024-06-27T07:26:02+00:00", "created_at_opencti": "2024-06-27T05:58:55+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-06-27", "aws", "backdoor", "npm", "supply-chain" ], "related_entities": { "observables": [ { "id": "", "name": "91.238.181.250" }, { "id": "", "name": "secure.software" }, { "id": "", "name": "5c3d87cdd9aa9cb28bc3240317983554b40e3f8e47ef8447bba1103d73bfee17" } ], "malware": [ { "id": "legacy:malware:10eb9bae7f792e39", "name": "legacyreact-aws-s3-typescript", "slug": "legacyreact-aws-s3-typescript" } ], "attack_patterns": [ { "id": "7da151b8-315c-4726-be18-0b571f2760c2", "name": "T1559.001" }, { "id": "1d0d9e67-eb8a-439c-a2c7-cab311bb25c4", "name": "T1195.002" }, { "id": "9c5a20d1-0df9-4e99-bcc5-0b731a78b5d1", "name": "T1608" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" } ] }, "external_refs": [ "https://www.reversinglabs.com/blog/a-lurking-npm-package-makes-the-case-for-open-source-health-checks", "https://otx.alienvault.com/pulse/667d1bbf813faaa5009fbfd6" ] }