GHSA-9X64-5R7X-2Q53

Vulnerability from github – Published: 2020-09-01 21:21 – Updated: 2021-10-01 13:30
VLAI?
Summary
Malicious Package in flatmap-stream
Details

Version 0.1.1 of flatmap-stream is considered malicious.

This module runs an encrypted payload targeting a very specific application, copay and because they shared the same description it would have likely worked for copay-dash.

The injected code:

  • Read in AES encrypted data from a file disguised as a test fixture
  • Grabbed the npm package description of the module that imported it, using an automatically set environment variable
  • Used the package description as a key to decrypt a chunk of data pulled in from the disguised file

The decrypted data was part of a module, which was then compiled in memory and executed.

This module performed the following actions:

  • Decrypted another chunk of data from the disguised file
  • Concatenated a small, commented prefix from the first decrypted chunk to the end of the second decrypted chunk
  • Performed minor decoding tasks to transform the concatenated block of code from invalid JS to valid JS (we believe this was done to evade detection by dynamic analysis tools)
  • Wrote this processed block of JS out to a file stored in a dependency that would be packaged by the build scripts:

The chunk of code that was written out was the actual malicious code, intended to be run on devices owned by the end users of Copay.

This code would do the following:

  • Detect the current environment: Mobile/Cordova/Electron
  • Check the Bitcoin and Bitcoin Cash balances on the victim's copay account
  • If the current balance was greater than 100 Bitcoin, or 1000 Bitcoin Cash:
  • Harvest the victim's account data in full
  • Harvest the victim's copay private keys
  • Send the victim's account data/private keys off to a collection

Recommendation

If you find this module in your environment it's best to remove it. The malicious version of event-stream and flatmap-stream have been removed from the npm Registry.

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "flatmap-stream"
      },
      "versions": [
        "0.1.1"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:33:59Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Version 0.1.1 of `flatmap-stream` is considered malicious.\n\nThis module runs an encrypted payload targeting a very specific application, `copay` and because they shared the same description it would have likely worked for `copay-dash`.\n\nThe injected code:\n\n- Read in AES encrypted data from a file disguised as a test fixture\n- Grabbed the npm package description of the module that imported it, using an automatically set environment variable\n- Used the package description as a key to decrypt a chunk of data pulled in from the disguised file\n\nThe decrypted data was part of a module, which was then compiled in memory and executed.\n\nThis module performed the following actions:\n\n- Decrypted another chunk of data from the disguised file\n- Concatenated a small, commented prefix from the first decrypted chunk to the end of the second decrypted chunk\n- Performed minor decoding tasks to transform the concatenated block of code from invalid JS to valid JS (we believe this was done to evade detection by dynamic analysis tools)\n- Wrote this processed block of JS out to a file stored in a dependency that would be packaged by the build scripts: \n\nThe chunk of code that was written out was the actual malicious code, intended to be run on devices owned by the end users of Copay.\n\nThis code would do the following:\n\n- Detect the current environment: Mobile/Cordova/Electron\n- Check the Bitcoin and Bitcoin Cash balances on the victim\u0027s copay account\n- If the current balance was greater than 100 Bitcoin, or 1000 Bitcoin Cash:\n  - Harvest the victim\u0027s account data in full\n  - Harvest the victim\u0027s copay private keys\n  - Send the victim\u0027s account data/private keys off to a collection\n\n\n## Recommendation\n\nIf you find this module in your environment it\u0027s best to remove it. The malicious version of event-stream and flatmap-stream have been removed from the npm Registry.",
  "id": "GHSA-9x64-5r7x-2q53",
  "modified": "2021-10-01T13:30:04Z",
  "published": "2020-09-01T21:21:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dominictarr/event-stream/issues/116"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/737"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Malicious Package in flatmap-stream"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.