Skip to content

Malicious Package: com.outsystems.plugins.fileviewer

Malicious Package: com.outsystems.plugins.fileviewer

Description

Malicious packages are software components intentionally designed or compromised to perform harmful actions on a system where they are installed or executed. Unlike legitimate software with unintentional vulnerabilities, these packages harbor malicious intent.

Key Characteristics of Malicious Packages:

  • Intent: Designed to steal data, gain unauthorized access, disrupt operations, or cause other harm.
  • Deception: Often masquerade as useful utilities, popular libraries (sometimes through typosquatting – using names very similar to legitimate packages), or appear as benign, unmaintained packages that an attacker takes over.
  • Distribution: Commonly distributed through public software repositories (e.g., npm, PyPI, Maven Central, RubyGems, NuGet), relying on developers to unwittingly include them in their projects. They can also be injected into legitimate packages if an attacker gains control of the package owner's account or the build infrastructure.
  • Payloads: Can include various types of malware such as spyware, ransomware, credential stealers, crypto miners, backdoors, or code that facilitates further attacks.

Common Objectives:

  • Data Exfiltration: Stealing sensitive information like user credentials, API keys, financial data, personal identifiable information (PII), or intellectual property.
  • System Compromise: Gaining unauthorized control over developer machines, build servers, or end-user devices.
  • Resource Abuse: Using compromised systems for activities like cryptocurrency mining or participating in DDoS botnets.
  • Lateral Movement: Using an initial foothold to move deeper into an organization's network.
  • Financial Theft: Directly stealing funds or facilitating financial fraud.

Identifying and mitigating the threat from malicious packages is a critical aspect of modern software supply chain security.

Recommendation

Immediate Remediation Steps:

  1. Isolate Affected Systems:

    • Disconnect any machine (developer workstations, build servers) where this package was built, installed, or run from the network to prevent further spread or data exfiltration.
    • If deployed in an application, assess the scope of affected end-user devices if possible.

  2. Remove the Malicious Package:

    • Identify all projects and applications that include com.outsystems.plugins.fileviewer.
    • For Cordova projects, check package.json, config.xml, and inspect assets/www/cordova_plugins.js and related platform build files (e.g., in platforms/android or platforms/ios).
    • Remove the dependency from your project's configuration (package.json, config.xml, etc.).
    • Rebuild your application from a known clean environment after ensuring the package is no longer present.
    • Thoroughly clean build caches and artifacts.

  3. Credential Rotation (Critical):

    • From a separate, trusted computer, rotate ALL secrets and keys that were present on or accessible from the compromised system(s). This includes:
      • Passwords (user, admin, service accounts)
      • API keys and tokens
      • SSH keys
      • Encryption keys
      • Database credentials
      • Cloud provider credentials
      • Version control system credentials

  4. System Investigation and Sanitization:

    • Because an attacker may have achieved full control, simply removing the package is often insufficient.
    • Conduct a thorough forensic investigation on affected systems to identify the extent of the compromise, any persistence mechanisms, and other malicious tools that may have been installed.
    • Consider re-imaging affected developer workstations and build servers from a known good state.

  5. Notify Affected Parties:

    • If customer data or end-user devices might be affected, follow your incident response plan for notification.

Preventative Measures for the Future:

  1. Dependency Scanning:

    • Implement automated Software Composition Analysis (SCA) tools in your CI/CD pipeline to scan for known vulnerabilities and malicious packages in your dependencies.
    • Regularly update the databases for these tools.

  2. Vet Dependencies:

    • Before adding a new dependency, research its reputation, maintainers, download statistics, and look for any reported security issues.
    • Prefer well-maintained packages from trusted sources.

  3. Pin Dependencies:

    • Use lockfiles (e.g., package-lock.json, yarn.lock) to pin dependencies to specific, known-good versions. This prevents unintentional upgrades to potentially malicious newer versions.

  4. Use Scoped Packages and Private Registries (If Applicable):

    • For internal packages, use scoped names and private registries to reduce the risk of substitution attacks (though this specific issue is a malicious package, not substitution).

  5. Principle of Least Privilege:

    • Ensure build environments and developer workstations operate with the minimum necessary privileges.

  6. Developer Education:

    • Train developers on the risks of software supply chain attacks and best practices for dependency management.

By taking these steps, organizations can respond to the immediate threat posed by MAL-2022-2047 and strengthen their defenses against future malicious package incidents.

Standards

  • OWASP_MASVS_L1:
    • MSTG_CODE_5
    • MSTG_PLATFORM_2
  • OWASP_MASVS_L2:
    • MSTG_CODE_5
    • MSTG_PLATFORM_2
  • PCI_STANDARDS:
    • REQ_2_2
    • REQ_5_1
    • REQ_5_2
    • REQ_6_2
    • REQ_6_3
    • REQ_11_3
  • OWASP_MASVS_v2_1:
    • MASVS_CODE_3
    • MASVS_RESILIENCE_1
  • SOC2_CONTROLS:
    • CC_2_1
    • CC_4_1
    • CC_4_2
    • CC_7_1
    • CC_7_2
    • CC_7_4
    • CC_8_1