debug and related packages JavaScript Library Malware Injection Vulnerability

A supply chain attack has compromised the popular JavaScript debugging utility 'debug' and several related npm packages. This attack, which followed a phishing incident targeting the package maintainer, led to the injection of malware in version 4.4.2 of 'debug' and in 18 other packages. The malicious code, designed to intercept and manipulate cryptocurrency transactions, has been removed from the npm registry, but not before causing potential harm to users. The malware specifically targets transactions in browser environments, redirecting funds to attacker-controlled wallets, while applications running in local or server environments are not affected.

Impact

The injected malware intercepts and alters cryptocurrency transactions, redirecting funds to addresses controlled by the attacker. This manipulation occurs without the user's knowledge, taking advantage of connected wallets and common wallet APIs.

Reproduction

The vulnerability can be reproduced by installing the compromised version of the 'debug' package, either directly or as a dependency of another package. Once the malicious version is in use, the malware activates in browser environments, particularly when a wallet is connected. The malware can be observed by monitoring for intercepted transaction requests that have been altered to redirect funds to attacker-controlled addresses.

Remediation

Users should upgrade to 'debug' version 4.4.3, remove the 'node_modules' directory, clean the package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the compromised versions from any caches.