‘Culturestreak’ malware lurks inside GitLab Python package

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs.

This week: Cryptomining “culturestreak” malware lurks inside GitLab Python package. Also: A malicious campaign targets Kubernetes via npm.?

This Week’s Top Story

‘Culturestreak’ malware lurks inside GitLab Python package

Researchers at Checkmarx this past week discovered an active Python file on GitLab that is able to hack system resources to mine cryptocurrency . The malicious package, “culturestreak,” came from an active repository on GitLab’s developer site from user Aldri Terakhir. This particular incident is a unique open source software compromise in comparison to others, which are usually found on platforms like npm and PyPI. Instead, this incident occurred as a result of GitLab’s product being “open core,” meaning that anyone outside of GitLab can contribute to the project, leaving it vulnerable to malicious actors in the same way that PyPI and npm are.??

When the culturestreak package is downloaded from the GitLab platform, it is deployed and runs in an infinite loop that exploits system resources with the aim of mining Dero cryptocurrency . Checkmarx researchers also believe that the package can “slow down your computer, and potentially expose you to further risks.” And because it runs in an infinite loop, the package will continually exploit system resources, making it a relentless threat for victims.?

Techniques the package uses include obfuscation, which hides sensitive information or makes it more difficult for a threat hunter to understand the malicious code’s intent. The package will also go through various steps once deployed to download a malicious binary onto the victim’s device, which researchers believe is meant to deceive antivirus or security software from detecting these malicious components. Finally, an additional binary is downloaded that is commonly known as a tool for mining Dero crypto on GitHub, called “astrominer 1.9.2 R4.”?

This incident is just one example of many malicious campaigns that have taken advantage of open source software repositories, highlighting the need for developers to “always vet code and packages from unverified or suspicious sources,” Checkmarx researcher Yehuda Gelb shared.?

This Week’s Headlines

Fresh wave of malicious npm packages threaten Kubernetes configs and SSH keys

Researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server. So far, 14 packages from this campaign have been discovered by Sonatype, and attempted to impersonate JavaScript libraries and components. (The Hacker News )

GitLab urges users to install security updates for critical pipeline flaw

GitLab has released security updates to address a critical severity vulnerability that allows attackers to run pipelines as other users via scheduled security scan policies. GitLab is a popular web-based open-source software project management and work tracking platform, offering a free and commercial version. The flaw was assigned CVE-2023-5009 (CVSS v3.1 score: 9.6), and impacts GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.12 through 16.2.7 on versions 16.3 through 16.3.4. (Bleeping Computer )

Army seeks input on SBOMs for software supply chain security

The U.S. Army is looking to the private sector for ideas on proactive monitoring and critical vulnerability mitigation to shore up its software supply chain security, and improve the security of its thousands of software components and third-party libraries, principally through implementing Software Bills of Material (SBOM). Their Request for Information (RFI) was shared last week. (MeriTalk )

Key findings from the CISA 2022 Top Routinely Exploited Vulnerabilities report

Chris Romeo shares the key takeaways from the recently published CISA 2022 Top Routinely Exploited Vulnerabilities report , which was compiled with international partners from Australia, Canada, New Zealand, and the UK. The document details the common vulnerabilities and exposures (CVEs) routinely and frequently exploited by malicious actors in 2022, as well as their associated common weakness and enumerations (CWEs). (CSO )

Microsoft AI researchers leaked 38TB of secrets, private keys, and passwords

The Microsoft AI research team inadvertently exposed 38 terabytes of private data on their GitHub repository. This exposure resulted from the misconfiguration of an Azure feature known as SAS tokens, which are used to share data from Azure Storage accounts. The misconfiguration allowed access to the entire storage account, including sensitive information including personal computer backups, passwords, secret keys, and more than 30,000 internal Microsoft Teams messages from 359 Microsoft employees. (Cyber Security News )

Resource Round Up

Upcoming Webinar: Static Analysis vs Static Binary Analysis: The Future of Complex Code Deconstruction

This webinar aims to provide an understanding of the difference in the analysis technology, illustrating how static binary analysis is leveraged to bolster a software security posture and understand the security risks prior to deployment into organizations. (Save Your Seat )

ConversingLabs Podcast: The Art of Security Chaos Engineering

In this episode , host Paul Roberts chats with Kelly Shortridge, a Senior Principal at Fastly, Black Hat 2023 speaker, and author on how to foster agility and nimbleness in enterprise security teams. (Watch It Now )

On Demand 25-min Webinar: Reducing False Positives in the SOC Through Software Analysis

This on-demand webinar explains how software supply chain analysis can reveal important information that security teams should leverage to tune detections across security solutions before deploying new software. (Watch It Now )