September 29, 2023

An unidentified attacker recently noticed the sudden abandonment of a once-active AWS S3 bucket and recognizing an opportunity, seized it to launch malicious payloads.

An NPM package named bignum has a component that is used for downloading binary files during installation that was hosted on an Amazon AWS S3 bucket. If it could not reach the bucket, the software would then search locally for the binary.

But users who downloaded bignum also downloaded these malicious binaries, which were used to steal user IDs, passwords, local machine environment variables, and local host names before exfiltrating the data.


The motto behind this is that without altering a single line of code, attackers can poison open-source packages or repositories and be easily unnoticed. if the maintainer has deserted the domain or did not complete his payments, an attacker can just take over his domain, and no one will know – resulting in an infected package

The main issue was that the distribution source for a binary package was an S3 bucket that appears to have been abandoned and then eventually deleted. It appears the S3 bucket was still in use in existing software as a distribution point and the malicious actor noticed that the abandoned S3 bucket was still used as a distribution location and then simply created a new S3 bucket with the same name.

The problem is not only the distribution of software binaries but IP addresses, domain names, externally referenced JavaScript libraries, and even disused subdomains. This scenario could repeat anywhere there’s a previously trusted distribution location that falls out of use and is abandoned.

Once it’s abandoned, a malicious actor could gain control of the address or location and use it to discreetly distribute malicious payloads.

Leave a Reply

%d bloggers like this: