Malicious Package Affecting 3a-look package, versions *


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-3ALOOK-5819570
  • published 4 Aug 2023
  • disclosed 4 Aug 2023
  • credit Checkmarx

Introduced: 4 Aug 2023

Malicious CVE NOT AVAILABLE CWE-506 Open this link in a new tab

How to fix?

Avoid using all malicious instances of the 3a-look package.

Overview

3a-look is a malicious package.

This instance of the 3a-look package contains malware and attempts to compromise users by adopting dependency confusion techniques. A dependency confusion attack is a type of supply chain attack where malicious software is inserted into the development process by replacing a legitimate software package with a malicious one.

Note: Users are exposed if they've installed the 3a-look package from public repositories. Installations of this package from private repositories or CDNs are likely safe to use.

This package is part of an Open Source Supply Chain Attack campaign conducted by the Lazarus Group. The threat actors initiated the attack chain by impersonating developers and recruiters to target employees of technology firms, focused on individuals associated with the blockchain, cryptocurrency, and online gambling sectors. The threat actors would establish initial contact through fake persona accounts on platforms such as LinkedIn, Slack, and Telegram, and on establishing a rapport with the targets, usually shifting communication to a different platform. Once contact was established, the attacker would invite the target to collaborate on a GitHub repository, containing malicious npm package dependencies which would then be used to compromise the victim.

IoC

cryptopriceoffer[.]com
npmjscloud[.]com
npmrepos[.]com
tradingprice[.]net
npmjsregister[.]com
npmcloudjs[.]com
bi2price[.]com
npmaudit[.]com
coingeckoprice[.]com

These spoofed packages have no relation to the company or project they are attempting to spoof, and are not published by them or associated with them in any way. Out of an abundance of caution, Snyk will mark any occurrence of the package as malicious, regardless of download source. Only the user can determine with certainty whether it is the intended package and can be safely ignored.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High