Malicious pgserve, automagik developer tools found in npm registry

Key Points:

• Malicious versions of pgserve and automagik have been discovered in the npm registry, posing a significant threat to application developers by stealing sensitive data, including AWS and Azure credentials.
• The malware not only harvests credentials but also propagates itself by injecting malicious code into other packages using npm publish tokens, leading to widespread compromise.
• Developers are advised to rotate all credentials immediately, disable automatic postinstall script execution, and implement strict access controls and software composition analysis tools.

Technical Details: The malicious pgserve versions (1.1.11 to 1.1.13) inject a credential-harvesting script that runs during installation. This malware operates as a supply-chain worm, leveraging npm tokens for further propagation.

MITRE ATT&CK Techniques:

• T1078 - Valid Accounts (Defense Evasion, Persistence)
• T1190 - Exploit Public-Facing Application (Initial Access)
• T1003.001 - OS Credential Dumping: LSASS Memory (Credential Access)
• T1021.001 - Remote Services: Remote Desktop Protocol (Lateral Movement)

IOCs Mentioned:

• Malicious package versions: pgserve 1.1.11, 1.1.12, 1.1.13; automagik versions 4.260421.33 through 4.260421.39

This incident highlights the critical need for vigilance in managing open-source dependencies and implementing robust security measures in development environments to mitigate risks associated with supply chain attacks.