Home Cd rom This week in security: NPM vandalism, simulation of restarts, etc.

This week in security: NPM vandalism, simulation of restarts, etc.


We’ve covered quite a few stories about malware sneaking into the NPN and other JavaScript repositories. It’s a little different. This time a JS programmer vandalized his own packages. It’s not even malware, maybe we should call it protestware? Both packages colors and faker are both popular, with a combined weekly download of nearly 23 million. their author, [Marak] added a breaking update to each of them. These libraries now print a header of LIBERTY LIBERTY LIBERTY, then either random characters or very poor ASCII art. It was confirmed that it was not an outside attacker, but [Marak] voluntarily break his own projects. Why?

It seems that this story begins at the end of 2020, when [Marak] lost a lot in a fire and had to ask for money on Twitter. Edit: Thanks to the commenter [Jack Dansen] for pointing out an important missing detail. Marak was charged with reckless endangerment and suspected of possible terrorist aspirations because bomb-making materials were found in his burnt-out apartment. Two weeks later, he tweeted that billions were won out of the work of open source developers, citing a FAANG leak. FAANG is a reference to the big five American technology companies: Facebook, Apple, Amazon, Netflix and Google. On the same day, he opened an issue on Github for faker.js, issuing an ultimatum: “Take this opportunity to send me a six-figure annual contract or forge the project and have someone else work on it. »

If you feel sorry for [Marak], there is one wrinkle left to turn. He didn’t commit code for colors.js since February 2018. Another developer, [DABH] been doing maintenance since then, until the vandalism happened. All in all, it’s a mess. Both projects on NPM returned to their versions without a hitch and will likely be pivoted to the official forks of the projects.

Simulated restarts

The common wisdom is that while there are multiple iOS malware kits, produced by groups like NSO, that malware can’t actually defeat Apple’s Secure Boot, so a restart of the phone is enough to “uninstall” it. . The problem with that is obvious once you hear it: you’re trusting a compromised device to perform a clean reboot. ZecOps researchers have demonstrated the ability to interrupt the reboot process in what they call NoReboot. Their code hooks into the shutdown function and kills the UI instead. Once the power button is pressed again, the boot animation appears and finally a handy system command restarts the userspace. Watch the embedded demo below.

No problem, right? Just use the hardware force restart feature. Volume up, volume down, then press and hold the power button until you get the Apple logo. How long do you hold it? Until the logo appears – right, it’s trivial to fake a forced restart before the real one happens. OK, so to know you’re getting a real reboot, you just need to remove the battery… Oh.

through The File.

Microsoft hacker macOS

MacOS has a feature called Transparency, Consent, and Control (TCC) that manages permissions for individual apps. This system, for example, prevents the calculator application from accessing the system’s webcam. The settings are stored in a database stored in the home directory, with strict controls preventing applications from modifying it directly. Microsoft announced the Powerdir vulnerability, which combines a few quirks to overcome the protection. The exploit is simple: create a fake TCC database, then change the user’s home directory so that the spoofed database is now the active database. It’s a bit more complicated than that, because a random app really shouldn’t be able to remap the home directory.

They found two techniques to make the remapping work. The first is the directory services binaries, dsexport and dsimport. Although changing home directory directly requires root access, this export/import dance can be done as an unprivileged user. The second technique is to deliver a malicious bundle to the configd binary, which performs a code injection attack. It’s interesting to see Microsoft continue to research security targeting macOS. Their motivation may not be noble, but it really helps to secure all our devices.


We’ve covered quite a few NAS vulnerabilities over the years, and I’ve noted many times that it really isn’t a good idea to expose devices like this to the internet. One of the suggested explanations was UPnP, and today we have official confirmation that this is indeed part of the problem. In a new notice, QNAP officially recommends disabling UPnP on QNAP devices. Seems like this should have been recommended a while ago, or better yet, those devices ship with UPnP disabled by default. I would take it a step further and also suggest disabling the feature in your router unless you know you actually need it for something.

If you receive a USB drive in the mail…

For God’s sake, don’t plug it in! It seems that a few companies did not receive this memo, as there was a successful ransomware campaign by FIN7 using only this approach. The trick is that they include an official letter and maybe a gift card, prompting the recipient to plug in the USB drive to claim their loyalty reward. A 2020 campaign by the same group impersonated Best Buy, where it claims to be from Amazon or HHS.

You may have understood that these flash drives are more than just flash storage. In fact, they appear to be BadUSB devices – small chips that register as HID devices and send keystrokes to the computer. Once plugged in, they open Powershell and run a malicious script, giving attackers remote access. If you receive one of these attacks or a similar attack, call the FBI or your local equivalent. Reports from companies and individuals are what lead to warnings like this.

Notable Updates

The first set of Android updates for this year have been released, and there is a major issue affecting a plethora of Qualcomm Snapdragon-powered devices. CVE-2021-30285 is a critical vulnerability in Qualcomm’s closed-source software. This is called “bad kernel input validation”, but seems to be a memory management issue in the Qualcomm hypervisor. It is rated 9.3 on the CVSS scale, but no further details are available at this time.

VMWare’s virtualization products have been patched against CVE-2021-22045, a heap overflow vulnerability in their virtual CD-ROM device code. Exploitation could result in VM escape and arbitrary code execution on the machine’s hypervisor, a worst-case scenario for VM operators. The default is rated at 7.7 and luckily a CD image should be actively attached to the machine. So the workaround is quite simple: just remove the CD drive or image.