Attackers hijacked an abandoned AWS S3 bucket used to host binaries for the NPM package “bignum,” replacing them with malicious ones that steal credentials and exfiltrate data to the hijacked bucket. This reveals a broader risk across open-source ecosystems, prompting defensive steps like occupying deserted buckets and planting disclaimer files to deter future hijacks. #bignum #NodeGyp #S3BucketHijack #NPM #CredentialExfiltration #Checkmarx
Keypoints
- The NPM package “bignum” used binaries hosted on an AWS S3 bucket which was hijacked after the bucket was abandoned.
- The counterfeit binary mimicked the original while adding a payload to steal user credentials and environment data.
- An abandoned bucket name can still be referenced by a package, allowing pointers to be redirected to a taken-over bucket.
- The malicious binary bridges JavaScript and native C/C++ code, expanding the attack surface for Node.js modules.
- The binary harvests data (getpwd/getuid, environment data) and exfiltrates it via a covert channel embedded in a GET request’s user-agent.
- Proactive defense involved reclaiming deserted buckets and placing a disclaimer to deter similar hijacks, highlighting broader supply-chain risks.
MITRE Techniques
- [T1496] Resource Hijacking – The attacker seized the abandoned bucket to host malicious binaries. “Recognizing an opportunity, the attacker seized the abandoned bucket.”
- [T1105] Ingress Tool Transfer – The package used node-gyp to download a binary during installation from an AWS S3 bucket. “The binary file was initially hosted on an Amazon AWS S3 bucket, which, if inaccessible, would prompt the package to look for the binary locally.”
- [T1082] System Information Discovery – The binary harvested data via getpwd/getuid and environment data. “Further investigation revealed that the binary file harvested data via functions like getpwd and getuid (as seen in the strings printout), extracting environmental data.”
- [T1567.002] Exfiltration to Web Service – The exfiltration occurred via the user-agent of a GET request. “The exfiltration was craftily performed within the user-agent of a GET request.”
Indicators of Compromise
- [MD5] Bignum v0.13.0 and v0.12.5 – 1e7e2e4225a0543e7926f8f9244b1aab, f671a326b56c8986de1ba2be12fae2f9
- [SHA-1] Bignum v0.13.0 and v0.12.5 – b2e1bffff25059eb38c58441e103e8589ab48ad3, ab97d5c64e8f74fcb49ef4cb3a57ad093bfa14a7
- [SHA-256] Bignum v0.13.0 and v0.12.5 – 3c6793de04bfc8407392704b3a6cef650425e42ebc95455f3c680264c70043a7, 3ba3fd7e7a747598502c7afbe074aa0463a7def55d4d0dec6f061cd3165b5dd1