In this news:
JFrog’s security team is advising its customers and the public to be aware of a recent supply chain attack involving a malicious Python package named “ccxd python m-exe – futures” that mimics the popular “ccxt” cryptocurrency exchange trading package and can cause widespread damage.
The ccxt library is a collection of available crypto exchanges or exchange classes. Each class implements the public and private API for a particular crypto exchange. All exchanges are derived from the base exchange class and share a set of common methods. To access a particular exchange from the ccxt library, developers need to create an instance of the corresponding exchange class. Supported exchanges are updated frequently, and new exchanges are added regularly.
Once inside a system, attackers aim to steal user credentials for the MEXC exchange platform. This attack involves typosquatting, mimicking interfaces of the original package, and altering response types to hide malicious activity. Typosquatting is a malicious practice where criminals register domain names that are very similar to legitimate websites, but with slight spelling errors or variations.
The goal is to trick users into visiting a fake third-party website, often to steal their personal information, install malware or redirect them to other malicious servers, JFrog supply chain security team leader Brian Moussalli told The New Stack.
This most recent attack, first discovered earlier this month, targets developers and potentially cryptocurrency traders using custom scripts, with a broad range of potential victims due to the nature of supply chain attacks.
Identifying the malicious package is tricky because it mimics the original and downloads it, Moussalli said. Red flags include new users deploying packages with similar names to popular ones and packages with few downloads.
JFrog’s software helps secure software development lifecycles and provides tools such as Catalog and Distribution to filter packages and set approval rules. The attack, discovered about two weeks ago, inflicted harm across various repositories that include PyPI, npm, NuGet and GitHub, Moussalli said.
Because crypto trading mechanisms are generally secure, these attackers hit softer targets, including communication with servers, crypto wallets and earlier stages of trading to steal credentials. A successful attack using stolen user credentials could drain a user’s crypto account, Moussalli said.
“When we’re looking at suspicious code, we try to check indicators, like when the code was created, or if the authors don’t have any track record — it could be a new user deploying a package that seems important but ‘kind of looks’ suspicious,” Moussalli said.
“Once we find them, we report them to the repository maintainers, and this is part of our mission.”
Moussalli said JFrog also has found exploits “that try to inject (malicious) code into your crypto wallet. Let’s say you have a local application (such as a Coinbase, Paybis or MoonPay wallet). They would just inject a piece of code that would change the behavior of your crypto wallet and leak your credentials to some other place, then take away your login credential, and so on.”
Impossible Mission
In view of all the millions of software downloads that take place each day globally, Moussalli said that trying to keep track of all the techniques attackers use is “an impossible mission for software developers. That’s why security experts have to tackle this issue with new tools and techniques and products.”
“A software supply chain attack can hit (an enterprise) in any of those stages — from the development part to the building part, to storing your artifacts on some server and deploying to production,” Moussalli said. “So, I think it wouldn’t be fair to put this pressure on the software development team, since your vulnerable spots could be all over your activity or what your organization does. It’s really a hard task to put on a software development team.”
.png)
