ATTACK
How Arnica's Low-Reputation Package Detection Could Have Prevented the XML-RPC npm Package Breach
December 2, 2024
Usage of third-party packages in software has ballooned over the past decade. And while Software Composition Analysis (SCA) tools have evolved to identify and help mitigate vulnerable packages, there are third-party packages that have identifiable characteristics that would indicate that they are low-reputation packages and could become vulnerable. This is exactly what happened in November 2024 when the @0xengine/xmlrpc package, which was originally harmless, was available and used maliciously over a year.
The @0xengine/xmlrpc package was first published on October 2nd, 2023. With nearly 1800 downloads at the time, the package was originally introduced as a JavaScript-based XML-RPC server and client for Node.js. With version 1.3.4, code was introduced to steal SSH keys, metadata, bash history and more, using publicly available services like Dropbox to exfiltrate the data.
Additionally, the yawpp repo owned by hpc20235 (no longer available) on GitHub, which claims to be a tool for creating posts on WordPress, lists the malicious @0xengine/xmlrpc package as a dependency. As a result, @0xengine/xmlrpc was automatically installed during setup of the yawpp GitHub repo. While it’s unclear if the malicious package was intentionally added to yawpp, the malware nevertheless collected system information, achieved persistence via `systemd`, and deployed XMRig, a crypto-miner, compromising 68 systems to mine the Monero crypto token. The @0xengine/xmlrpc package also cleverly looked for any system monitoring commands which would trigger a halt to mining activity to avoid detection.
This @0xengine/xmlrpc package attack highlights the risk of maintaining low-reputation software packages in your code, even when there is no known vulnerability or exploit associated with the package. Having tools and developer-native workflows to proactively address low-reputation packages in your code can help minimize tech debt and potential security risks.
Arnica’s code security solution goes beyond Software Composition Analysis (SCA) to evaluate a range of characteristics that would indicate the quality or reputation of a given third-party package. Arnica’s package reputation feature highlights:
By evaluating these metrics, Arnica can provide developers with real-time alerts for low reputation packages, triggered on every code change. Alerts and reporting on low-reputation characteristics can be fed directly into developers’ existing workflows in the tools they use like within the pull request in your source code management, within chat in Slack or Microsoft Teams, or in tickets within Jira or Azure DevOps Boards.
By tracking contextual insights for every third-party package used in your code base, you can help developers act in real time to improve the quality and security of their code while making the upgrade easy and reducing double work and context switching down the road.
Arnica's proactive low-package reputation detection identified the @0xengine/xmlrpc package as being low-reputation based on several key characteristics. There were 0 projects dependent on the latest 3 versions. So even though there was usage of the package early on, it is clearly no longer “popular” as it was. Last week, there were only 38 downloads of the package. Both metrics indicate low-reputation. Additionally, as the source code repository no longer exists, there is no “social proof” for the GitHub stars.
Arnica helps security teams collaborate with developers in a number of ways to maximize the opportunity for upgrading package quality, while minimizing the effort to do so.
Real-time detection
Arnica flags low reputation in every single code push, in real time. This ensures that developers can be notified about low-reputation packages while they’re working on their code, rather than asking them to come back to it after they’ve moved on to a new project.
Existing code detection
Arnica rescans all your existing code daily. This ensures that package reputation is always up-to-date – whether a low-reputation package was upgraded by your development team or an existing, previously high-reputation package has degraded over time.
Developer-native workflows
Arnica integrates directly into your source code management (SCM) tools – GitHub, GitLab, Bitbucket, Azure DevOps – as well as your chat tools like Slack and Microsoft Teams. This allows you to build fine-grained policies to meet your developers where they are – for example, sending a developer a notification in Slack whenever a low-reputation package is present in committed code.
Ticket management & automation
Sometimes, code just needs to be merged quickly. In this instance, Arnica helps you not lose sight of low reputation packages by auto-creating issues in tools like Jira or Azure DevOps Boards when a low-reputation package is introduced. Arnica will auto-close the ticket when the package is addressed.
Dependency on third-party packages continues to expand in modern software development. While low-reputation packages can be used to deliver malware, as was the case with the @0xengine/xmlrpc, the more common impact of low-reputation packages is the upkeep effort required.
The most common impact of an expanding list of third-party packages is a growing effort to maintain packages as they become outdated and depreciated and turn into tech debt. This represents an operational risk on your software development efforts.
The specifics of the @0xengine/xmlrpc attack highlight the importance of taking proactive measures to prevent low-reputation, potentially risky packages into your code. Arnica’s Package Reputation feature gives you full context, beyond Software Composition Analysis (SCA), for every third-party package in your code.
Book time with the Arnica team to learn more about Arnica’s Package Reputation solution or try Arnica today!
