A couple of weeks ago we made a post regarding a vulnerability with Node Package Manager (NPM) where if there was a maintainer account with an email associated to a defunct domain, an attacker could register the defunct domain, setup the registered email account and then take over control of the NPM package and post malicious changes to the package.
Well, that is exactly what happened. On May 14th, “security researcher” Yanus Aydin, aka SockPuppets, registered defunct domains, and hijacked two popular NPMs, “ctx” and “PHPass”. Code changes were then published to steal AWS secret keys.
Now, Yanus claims this was all done as a part of ‘ethical research’ as a part of a bug bounty exercise and defiantly says “no malicious activity occurred.” Given that these security issues existed and were wide-spread, and alerts\articles were being published just days before this “exercise” was carried out, as well as AWS secret keys definitely being stolen… Yeah, no, I am sure this is Fine…
Let this be a case in point, that when a security issue or vulnerability gets published, attackers will be reading the same articles the defenders do, and whether its a ‘bug bounty’ or straight up admitted attack, we need to act quickly to make sure threats are accounted for and addressed as quickly as possible.
https://isc.sans.edu/diary/rss/28678
