Full Report
Researchers identified an active supply chain attack affecting multiple npm packages that leverages a novel abuse of the binding.gyp build mechanism to execute malicious code during package installation. Unlike traditional npm supply chain attacks that rely on preinstall or po...
Analysis Summary
# Technique: binding.gyp Abuse for Installation-Time Execution
## Overview
This technique involves a novel method for supply chain compromise within the npm ecosystem. By abusing the standard `binding.gyp` configuration file—traditionally used to compile native C++ addons—attackers can execute arbitrary commands during the package installation process. This method is particularly effective because it bypasses security scanners that specifically look for suspicious `preinstall` or `postinstall` scripts in `package.json`.
## Technical Details
- **Type**: Technique / Supply Chain Attack Vector
- **Platform**: Cross-platform (any environment using npm/Node.js, particularly CI/CD pipelines)
- **Capabilities**: Arbitrary command execution, evasion of script-based detection, worm-like propagation.
- **First Seen**: June 2024 (Reported via Wiz/StepSecurity)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain**
- **TA0002 - Execution**
- **T1059.003 - Command and Scripting Interpreter: Windows Command Shell**
- **T1059.004 - Command and Scripting Interpreter: Unix Shell**
- **TA0003 - Persistence**
- **T1546 - Event Triggered Execution**
## Functionality
### Core Capabilities
- **Scriptless Execution**: Executes code without using the `scripts` field in `package.json`, evading "ignore-scripts" flags in some configurations or static analysis tools.
- **Command Injection via Shell Expansion**: Leverages the `sources` array in `binding.gyp`. When `node-gyp` processes this file, it may use shell expansion, allowing backticked commands or variable expansions to execute system commands.
- **Automated Lifecycle Integration**: Since `node-gyp rebuild` is a default behavior for packages containing a `.gyp` file, the execution occurs automatically upon `npm install`.
### Advanced Features
- **CI/CD Worm Propagation**: The malicious code is designed to identify GitHub Actions tokens or npm registry tokens within CI/CD environments.
- **Automated Backpatching**: It can automatically inject malicious code into other repositories the compromised token has access to, enabling the attack to spread from one package to others managed by the same entity.
## Indicators of Compromise
- **File Names**: `binding.gyp`
- **Behavioral Indicators**:
- `node-gyp` spawning unexpected shell processes (`sh`, `bash`, `cmd.exe`).
- Outbound network connections to unauthorized registries or credential drop points during `npm install`.
- Modification of `.github/workflows` files in internal repositories.
- **Network Indicators**:
- `stepsecurity[.]io` (Research reference)
- (Specific C2 domains identified in this campaign are often defanged versions of npm clones or data exfiltration endpoints).
## Associated Threat Actors
- **TeamPCP**: The actor group identified as the primary operator of this campaign.
## Detection Methods
- **Signature-based detection**: Scanning for `binding.gyp` files that contain shell execution syntax (e.g., backticks `` ` `` or `$()` within the `sources` or `libraries` arrays).
- **Behavioral detection**: Monitoring CI/CD runners for unauthorized credential access (e.g., reading `~/.npmrc` or environment variables) during the build phase.
- **Audit Tools**: Using tools like `npm audit` or specialized supply chain scanners (e.g., StepSecurity, Socket.dev) that have been updated to inspect `.gyp` file contents.
## Mitigation Strategies
- **Enforce OIDC**: Use OpenID Connect (OIDC) for npm publishing from CI/CD to eliminate long-lived secrets.
- **Restrict Permissions**: Use the `permissions` feature in GitHub Actions to set `contents: read` by default, preventing a leaked token from pushing code changes.
- **Install Flags**: Use `npm install --ignore-scripts` to mitigate traditional hooks, though organizational policy should be updated to audit native build dependencies.
- **Lockfile Integrity**: Use `npm ci` and verify lockfile integrity to ensure no unauthorized files have been added to the dependency tree.
## Related Tools/Techniques
- **Hook-based Attacks**: Traditional `preinstall` / `postinstall` malware.
- **Typosquatting**: Often used in conjunction to deliver the malicious `binding.gyp` file to unsuspecting developers.
- **Dependency Confusion**: Leveraging internal vs. external naming to trigger the download of the malicious package.