"Remote Dynamic Dependencies provide greater flexibility in accessing dependencies-the code libraries that are mandatory for many other packages to work. Normally, dependencies are visible to the developer installing the package. They're usually downloaded from NPM's trusted infrastructure. RDD works differently. It allows a package to download dependencies from untrusted websites, even those that connect over HTTP, which is unencrypted."
"The PhantomRaven attackers exploited this leniency by including code in the 126 packages uploaded to NPM. The code downloads malicious dependencies from URLs, including http://packages.storeartifact.com/npm/unused-imports. Koi said these dependencies are "invisible" to developers and many security scanners. Instead, they show the package contains "0 Dependencies." An NPM feature causes these invisible downloads to be automatically installed."
A campaign tracked as PhantomRaven uploaded 126 malicious packages to NPM, which have been downloaded more than 86,000 times and left about 80 packages still available. The attackers abused Remote Dynamic Dependencies (RDD), a feature that lets packages fetch dependencies from untrusted domains and even over unencrypted HTTP. RDD downloads are invisible to many static analysis tools and security scanners, causing packages to appear to have "0 Dependencies." Each install fetches fresh malicious code from attacker servers, enabling widespread credential‑stealing payload distribution and evasion of traditional tooling.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]