ngx-bootstrap icon indicating copy to clipboard operation
ngx-bootstrap copied to clipboard
verified publisher icon valor-software

Newly published NPM versions contain malware

Open pollyzoid opened this issue 7 months ago • 13 comments

Recently published versions 20.0.4, 20.0.5, 20.0.6, 19.0.3 and 18.1.4 contain a post-install script bundle.js that seems to pull various tokens (GitHub, NPM, AWS, GCP) and attempts to exfiltrate cloud account secrets plus whatever trufflehog finds. 20.0.3 was also published with bundle.js but is missing package.json postinstall declaration.

These don't have matching tags on the repo, so publishing tokens have apparently leaked.

ng2-file-upload also looks affected.

edit: Affected versions are now gone from NPM.

pollyzoid avatar Sep 15 '25 13:09 pollyzoid

I noticed the same this morning and reported it to NPM support and @valorkin by email.

My inital email went out at 08:49Z, @valorkin acknowledged it at 10:51Z, confirmed he has unpublished the affected versions and rotated the affected tokens at 12:29Z. NPM sent an update on my reports at 13:38Z that they have taken action as well and purged the affected versions.

@valorkin Thanks again for the quick reaction. BTW issues on ng2-file-upload are still disabled, it seems.

patlkli avatar Sep 15 '25 14:09 patlkli

This says all versions. https://github.com/advisories/GHSA-6m4g-vm7c-f8w6. Will it be updated eventually?

sherlock1982 avatar Sep 15 '25 15:09 sherlock1982

First of all, great that all affected versions are removed!

This says all versions. GHSA-6m4g-vm7c-f8w6. Will it be updated eventually?

@patlkli @valorkin ^ could we indeed ask the NPM team to pin the advisory to the affected versions instead of the affected>= 0, to avoid unnecessary heart attacks while reading the description of the vulnerability.

basvandorst avatar Sep 15 '25 15:09 basvandorst

@sherlock1982 @basvandorst @valorkin I've sent them an issue over at https://github.com/github/advisory-database/issues/6140, so hopefully they will correct it soon.

patlkli avatar Sep 15 '25 16:09 patlkli

Since you are using GitHub hosted actions to publish, I would also recommend updating your npm + publish workflow for Trusted Publishing (Note: The For Github Actions and provenance sections). This would prevent this from happening again since then packages can only be published by this repo's publishing action or with 2FA. (No tokens or secrets to steal)

You can also add the --provenance flag to the publish command so that the NPM registry has a signed cert from GitHub attesting to when/where/how the package was published. And then on the NPM side you can configure the package settings so that only 2FA or the specified repo + action can publish package updates (disable publishing with tokens completely).

Tezra avatar Sep 15 '25 18:09 Tezra

According to https://play.clickhouse.com/play?user=play#c2VsZWN0ICogZnJvbSBnaXRodWJfZXZlbnRzIHdoZXJlIGV2ZW50X3R5cGUgPSAnQ3JlYXRlRXZlbnQnIGFuZCByZWZfdHlwZSA9ICdyZXBvc2l0b3J5JyBhbmQgcmVwb19uYW1lIGxpa2UgJyVzMW5ndWxhcml0eS1yZXBvc2l0b3J5JScgYW5kIGNyZWF0ZWRfYXQgPiAgJzIwMjUtMDgtMjYgMDA6MDA6MDAnIG9yZGVyIGJ5IGNyZWF0ZWRfYXQgQVNDCg== @valorkin was a victim of the Nx / S1ngularity attack. Could this be fallout from that?

AdnaneKhan avatar Sep 15 '25 22:09 AdnaneKhan

Yesterday while trying to install ngx-bootstrap, I ran into a strange issue during npm install. I also stored the full error logs file.

Surajkale1522 avatar Sep 16 '25 13:09 Surajkale1522

@pollyzoid can u share/point bundle.js where is this file?

Madebyspeedster avatar Sep 17 '25 12:09 Madebyspeedster

@pollyzoid can u share/point bundle.js where is this file?

Malicious packages that contained it have been removed from NPM. bundle.js file was in the root of the tar.gz package.

mukaschultze avatar Sep 17 '25 13:09 mukaschultze

According to https://play.clickhouse.com/play?user=play#c2VsZWN0ICogZnJvbSBnaXRodWJfZXZlbnRzIHdoZXJlIGV2ZW50X3R5cGUgPSAnQ3JlYXRlRXZlbnQnIGFuZCByZWZfdHlwZSA9ICdyZXBvc2l0b3J5JyBhbmQgcmVwb19uYW1lIGxpa2UgJyVzMW5ndWxhcml0eS1yZXBvc2l0b3J5JScgYW5kIGNyZWF0ZWRfYXQgPiAgJzIwMjUtMDgtMjYgMDA6MDA6MDAnIG9yZGVyIGJ5IGNyZWF0ZWRfYXQgQVNDCg== @valorkin was a victim of the Nx / S1ngularity attack. Could this be fallout from that?

I would assume that it was exactly the case. More info about the attack: https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again

tszewcow avatar Sep 17 '25 14:09 tszewcow

So are you going to bump your package version or what?

Image

jusvit avatar Oct 21 '25 00:10 jusvit

what's the deal with versions 20.0.2 to 20.0.6 ? they're still flagged as compromised all over the internet

e.g. https://osv.dev/vulnerability/MAL-2025-47197

are these false positives and the team replaced them already?

jpeer avatar Oct 23 '25 19:10 jpeer

No, they look to have been pulled everywhere. The latest valid package is 20.0.2.

20.0.3 - 20.0.6 (among others) are the malicious ones.

ngx-bootstrap has not pushed another release since 20.0.2. I'd assume when they do it will be 20.0.7 or above.

ADNewsom09 avatar Oct 23 '25 19:10 ADNewsom09