npm Package for ReExt React Components Library Exfiltrates Git Credentials

Summary:
The Socket Research Team has identified security risks associated with the npm package React ReExt, which collects sensitive developer information without consent. The package, claiming to be maintained by a former Sencha engineer, has been found to exfiltrate Git credentials and other personal data to a suspicious domain. Developers are urged to scrutinize their dependencies for hidden telemetry and unauthorized data access.
#npmSecurity #Spyware #DataExfiltration

Keypoints:

The npm package React ReExt poses significant security risks and is suspected of containing spyware.

It was first published in April 2023 and has gained moderate popularity with thousands of downloads.

The package collects sensitive developer information, including operating system username, Git username, and Git email.

Data collection occurs without user consent via a ‘preinstall.js’ file.

The package sends collected data to a suspicious domain using either HTTP or HTTPS based on the operating system username.

Communication with the package author revealed evasive responses regarding data collection practices.

Developers are advised to review supply chain alerts and be cautious of packages that collect telemetry data.

MITRE Techniques

Data Collection (T1056): Collects sensitive developer information without consent through a preinstall script.

Exfiltration Over Command and Control Channel (T1041): Sends collected data to a remote server using HTTP/HTTPS requests.

Credential Dumping (T1003): Attempts to read and extract Git configuration details from the user’s system.

IoC:

[url] hxxps://2tak.l.serverhost.name:1962

[ip address] 176.223.135.31

Full Research: https://socket.dev/blog/npm-package-for-reext-react-components-library-exfiltrates-git-credentials

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print