====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN043
_____________________________________________________________________

DATE                : 26/01/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running discord-fix npm package,
                      sonatype npm package, an0n-chat-lib npm package
                            versions prior to 0.0.1-security.

=====================================================================
https://www.npmjs.com/advisories/1597
https://www.npmjs.com/advisories/1597/versions
https://www.npmjs.com/advisories/1596
https://www.npmjs.com/advisories/1596/versions
https://www.npmjs.com/advisories/1598
https://www.npmjs.com/advisories/1598/versions
_____________________________________________________________________


published
Advisory Published
Jan 25th, 2021

reported
Reported by Sonatype Research team
Jan 25th, 2021


Malicious Package
discord-fix

Overview

From
https://blog.sonatype.com/sonatype-spots-more-discord-malware-in-npm?hs_preview=BbDPGbfh-40737456755:

The malicious packages were detected by Sonatype’s Security Research
Team leveraging Sonatype’s Nexus Intelligence research service. On
analyzing these packages closely, our Security Research Team confirmed
that the packages pose a security risk and gathered clear evidence that
the malware campaign was using a Discord bot to generate fake download
counts for the packages to make them appear more popular to potential users.


Remediation

Any computer that has this package installed or running should be
considered fully compromised. All secrets and keys stored on that
computer should be rotated immediately from a different computer. The
package should be removed, but as full control of the computer may have
been given to an outside entity, there is no guarantee that removing the
package will remove all malicious software resulting from installing it.

=======

Versions

Affected

0.0.1
    3 days ago
0.0.2
    3 days ago

Unaffected

0.0.1-security
    3 days ago

_____________________________________________________________________


Advisory timeline

    published
    Advisory Published
    Jan 25th, 2021

    reported
    Reported by Sonatype Research team
    Jan 25th, 2021


Malicious Package
sonatype


Overview

From
https://blog.sonatype.com/sonatype-spots-more-discord-malware-in-npm?hs_preview=BbDPGbfh-40737456755:

The malicious packages were detected by Sonatype’s Security Research
Team leveraging Sonatype’s Nexus Intelligence research service. On
analyzing these packages closely, our Security Research Team confirmed
that the packages pose a security risk and gathered clear evidence that
the malware campaign was using a Discord bot to generate fake download
counts for the packages to make them appear more popular to potential
users.


Remediation

Any computer that has this package installed or running should be
considered fully compromised. All secrets and keys stored on that
computer should be rotated immediately from a different computer. The
package should be removed, but as full control of the computer may have
been given to an outside entity, there is no guarantee that removing the
package will remove all malicious software resulting from installing it.


=====


Versions

Affected

2.0.3    4 days ago
2.0.4    4 days ago
2.0.5    4 days ago
2.0.6    4 days ago
2.0.7    4 days ago


Unaffected

0.0.1-security    4 days ago


_____________________________________________________________________

Advisory timeline

    published
    Advisory Published
    Jan 25th, 2021

    reported
    Reported by Sonatype Research team
    Jan 25th, 2021


Malicious Package
an0n-chat-lib


Overview

From
https://blog.sonatype.com/sonatype-spots-more-discord-malware-in-npm?hs_preview=BbDPGbfh-40737456755:

The malicious packages were detected by Sonatype’s Security Research
Team leveraging Sonatype’s Nexus Intelligence research service. On
analyzing these packages closely, our Security Research Team confirmed
that the packages pose a security risk and gathered clear evidence that
the malware campaign was using a Discord bot to generate fake download
counts for the packages to make them appear more popular to potential
users.


Remediation

Any computer that has this package installed or running should be
considered fully compromised. All secrets and keys stored on that
computer should be rotated immediately from a different computer. The
package should be removed, but as full control of the computer may have
been given to an outside entity, there is no guarantee that removing the
package will remove all malicious software resulting from installing it.

====

Versions

Affected

0.1.0    4 days ago
0.1.1    4 days ago
0.1.2    4 days ago
0.1.3    4 days ago
0.1.4    4 days ago
0.1.5    4 days ago

Unaffected

0.0.1-security    4 days ago

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================