{"id":10901,"date":"2022-08-02T14:02:55","date_gmt":"2022-08-02T11:02:55","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=10901"},"modified":"2022-08-02T14:02:55","modified_gmt":"2022-08-02T11:02:55","slug":"lofylife-malicious-packages-in-npm-repository","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/lofylife-malicious-packages-in-npm-repository\/10901\/","title":{"rendered":"npm deposundaki d\u00f6rt k\u00f6t\u00fc ama\u00e7l\u0131 paket"},"content":{"rendered":"

A\u00e7\u0131k kaynakl\u0131 kodlar BT end\u00fcstrisi i\u00e7in bulunmaz bir nimet. Tekrar eden genel kodlar\u0131 yazma ihtiyac\u0131n\u0131 ortadan kald\u0131rarak programc\u0131lar\u0131n vakit kazanmas\u0131n\u0131 ve \u00fcr\u00fcnleri daha h\u0131zl\u0131 ve daha verimli \u015fekilde olu\u015fturabilmesini sa\u011fl\u0131yorlar. Bu bilgi payla\u015f\u0131m\u0131n\u0131 m\u00fcmk\u00fcn k\u0131lmaya y\u00f6nelik depolar var. Bu depolar, t\u00fcm programc\u0131lar\u0131n di\u011fer insanlar\u0131n geli\u015ftirme s\u00fcre\u00e7lerini h\u0131zland\u0131rmak i\u00e7in kendi kodlar\u0131n\u0131 i\u00e7eren paketleri yay\u0131nlayabildi\u011fi a\u00e7\u0131k platformlar.<\/p>\n

BT toplulu\u011funun say\u0131s\u0131z ihtiyac\u0131na hizmet eden bu t\u00fcr depolar web uygulamalar\u0131, mobil uygulamalar, ak\u0131ll\u0131 cihazlar, robotlar gibi akla gelebilecek her t\u00fcrl\u00fc modern yaz\u0131l\u0131m\u0131n geli\u015ftirilmesinde yayg\u0131n olarak kullan\u0131l\u0131yor. En pop\u00fcler paketler haftada milyonlarca defa indiriliyor ve pet projelerden bilinen teknoloji start-up\u2019lar\u0131na kadar bir\u00e7ok uygulaman\u0131n temelinde yer al\u0131yor.<\/p>\n

Baz\u0131 tahminlere g\u00f6re<\/a> modern web uygulamalar\u0131ndaki kodlar\u0131n %97\u2019si npm mod\u00fcllerinden geliyor. Ancak pop\u00fclerlikleri ve her paketin y\u00fcklenebilmesini sa\u011flayan a\u00e7\u0131kl\u0131klar\u0131 ka\u00e7\u0131n\u0131lmaz olarak siber su\u00e7lular\u0131 da kendine \u00e7ekiyor. \u00d6rne\u011fin, 2021\u2019de kimli\u011fi belirsiz sald\u0131rganlar pop\u00fcler bir JavaScript k\u00fct\u00fcphanesi olan UAParser.js\u2019nin baz\u0131 s\u00fcr\u00fcmlerine k\u00f6t\u00fc ama\u00e7l\u0131 kod yerle\u015ftirerek g\u00fcvenli\u011fini ihlal etti<\/a>. Bu kitapl\u0131k her hafta 6 ila 8 milyon defa indiriliyordu. Siber su\u00e7lular bu pakete vir\u00fcs bula\u015ft\u0131rarak kripto para madencili\u011fi yapabilmenin yan\u0131 s\u0131ra, vir\u00fcsl\u00fc cihazlarda taray\u0131c\u0131 \u00e7erezi, parola ve i\u015fletim sistemi kimlik bilgileri gibi gizli bilgileri \u00e7alabilir hale geldi.<\/p>\n

Daha yak\u0131n tarihli bir \u00f6rnek vermemiz gerekirse 26 Haizran 2022\u2019de ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z a\u00e7\u0131k kaynakl\u0131 npm deposunda ortaya \u00e7\u0131kan, LofyLife ad\u0131n\u0131 verdikleri yeni bir tehdit ke\u015ffetti<\/a>.<\/p>\n

Peki LofyLife nedir?<\/h2>\n

A\u00e7\u0131k kaynakl\u0131 depolar\u0131 izlemek i\u00e7in dahili bir otomatik sistem kullanan ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z k\u00f6t\u00fc ama\u00e7l\u0131 bir giri\u015fim olan LofyLife\u2019\u0131 tespit etti. Bu giri\u015fim, kurbanlardan Discord token\u2019lar\u0131 ve ba\u011fl\u0131 kredi kartlar\u0131n\u0131n bilgilerini de i\u00e7eren \u00e7e\u015fitli bilgiler toplamak ve s\u00fcre\u00e7 i\u00e7inde kurbanlar\u0131 g\u00f6zetlemek i\u00e7in npm deposunda Volt Stealer ve Lofy Stealer k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mlar\u0131n\u0131 yayn d\u00f6rt k\u00f6t\u00fc ama\u00e7l\u0131 paket kullan\u0131yordu.<\/p>\n

Tespit edilen k\u00f6t\u00fc ama\u00e7l\u0131 paketler, ba\u015fl\u0131klar\u0131 veya belirli oyun \u00f6zelliklerini formatlamak gibi s\u0131radan g\u00f6revler i\u00e7in kullan\u0131l\u0131yormu\u015f gibi g\u00f6r\u00fcn\u00fcyordu. A\u00e7\u0131klamalar\u0131 eksik olan paketler genel olarak sald\u0131rganlar taraf\u0131ndan pek \u00f6zen g\u00f6sterilmemi\u015f gibi duruyordu. Bununla birlikte, \u2018ba\u015fl\u0131k formatlama\u2019 paketinin Brezilya Portekizcesiyle yaz\u0131lm\u0131\u015f ve #brazil etiketine sahip olmas\u0131, sald\u0131rganlar\u0131n Brezilya\u2019daki kullan\u0131c\u0131lar\u0131 hedefledi\u011fine i\u015faret ediyordu. Di\u011fer paketler \u0130ngilizce olarak sunuldu\u011fu i\u00e7in ba\u015fka \u00fclkelerden kullan\u0131c\u0131lar\u0131 da hedefliyor olabilirdi.<\/p>\n

Vir\u00fcsl\u00fc paketlerden biri olan \u201cproc-title\u201d ba\u015fl\u0131kl\u0131 paketin a\u00e7\u0131klamas\u0131 (Portekizce\u2019den \u00e7eviri: Bu paket ba\u015fl\u0131klar\u0131n\u0131z\u0131 Chicago stiline uygun olarak do\u011fru \u015fekilde b\u00fcy\u00fck harfli hale getirir.)<\/p><\/div>\n

\u00a0<\/p>\n

Ne var ki bu paketler, olduk\u00e7a karma\u015f\u0131k k\u00f6t\u00fc ama\u00e7l\u0131 JavaScript ve Python kodlar\u0131 i\u00e7eriyordu. Bu da depoya y\u00fcklenirken analiz edilmelerini zorla\u015ft\u0131r\u0131yordu. K\u00f6t\u00fc ama\u00e7l\u0131 y\u00fck, Python ile yaz\u0131lm\u0131\u015f a\u00e7\u0131k kaynakl\u0131 Volt Stealer adl\u0131 k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131mdan ve bir\u00e7ok \u00f6zelli\u011fi olan Lofy Stealer adl\u0131 JavaScript k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131ndan olu\u015fuyordu.<\/p>\n

Volt Stealer, vir\u00fcsl\u00fc cihazlardan Discord token\u2019lar\u0131n\u0131 ve kurban\u0131n IP adresini \u00e7al\u0131\u015f HTTP \u00fcst\u00fcnden y\u00fcklemek i\u00e7in kullan\u0131l\u0131yordu. Sald\u0131rganlar i\u00e7in yeni bir geli\u015fme olan Lofy Stealer ise Discord istemci dosyalar\u0131na vir\u00fcs bula\u015ft\u0131rabiliyor ve kurbanlar\u0131n eylemlerini izleyerek bir kullan\u0131c\u0131n\u0131n ne zaman giri\u015f yapt\u0131\u011f\u0131n\u0131, kay\u0131tl\u0131 e-postay\u0131 veya parolay\u0131 de\u011fi\u015ftirdi\u011fini, \u00e7ok fakt\u00f6rl\u00fc kimlik do\u011frulamay\u0131 etkinle\u015ftirip devre d\u0131\u015f\u0131 b\u0131rakt\u0131\u011f\u0131n\u0131 ve yeni \u00f6deme y\u00f6ntemleri ekledi\u011fini tespit edebiliyordu (yeni \u00f6deme y\u00f6ntemi eklenirse t\u00fcm kredi kart\u0131 bilgilerini de \u00e7al\u0131yordu). Toplanan bilgileri ise uzaktaki bir u\u00e7 noktaya y\u00fckl\u00fcyordu.<\/p>\n

K\u00f6t\u00fc ama\u00e7l\u0131 paketlerden korunman\u0131n yollar\u0131<\/h2>\n

A\u00e7\u0131k kaynakl\u0131 depolar herkesin kendi paketini yay\u0131nlamas\u0131na izin verir. BU paketlerin hepsi tamamen g\u00fcvenli de\u011fildir. \u00d6rne\u011fin, sald\u0131rganlar isimde birka\u00e7 harfi de\u011fi\u015ftirerek pop\u00fcler npm paketlerini taklit edebilir, b\u00f6ylece kullan\u0131c\u0131n\u0131n ger\u00e7ek paketi indirdi\u011fini sanmas\u0131na sebep olabilirler. Bu y\u00fczden dikkatli olman\u0131z\u0131 ve her pakete g\u00fcvenmemenizi \u00f6neriyoruz.<\/p>\n

Geli\u015ftirme veya derleme ortamlar\u0131 genel olarak tedarik zinciri sald\u0131r\u0131lar\u0131 d\u00fczenlemeye \u00e7al\u0131\u015fan sald\u0131rganlar i\u00e7in i\u015fe yarar hedeflerdir. Bu da bu ortamlar\u0131n Kaspersky Hybrid Cloud Security<\/a> gibi k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m kar\u015f\u0131t\u0131 koruma \u00e7\u00f6z\u00fcmlerini \u015fiddetle gerektirdi\u011fi anlam\u0131na gelir. \u00dcr\u00fcnlerimiz LofyLife\u2019\u0131 HEUR:Trojan.Script.Lofy.gen ve Trojan.Python.Lofy.a kararlar\u0131yla ba\u015far\u0131l\u0131 \u015fekilde tespit etti.<\/p>\n

A\u00e7\u0131k kaynakl\u0131 kodlar arac\u0131l\u0131\u011f\u0131yla yay\u0131lan yeni k\u00f6t\u00fc ama\u00e7l\u0131 giri\u015fimlerden ilk haberdar olan ki\u015filerden biri olmak istiyorsan\u0131z Tehdit \u0130stihbarat\u0131 Portal\u0131'n\u0131n<\/a> da sundu\u011fu t\u00fcrde tehdit istihbarat\u0131 ak\u0131\u015flar\u0131na ve raporlara abone olun.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Yeni k\u00f6t\u00fc ama\u00e7l\u0131 sald\u0131r\u0131 giri\u015fimi, vir\u00fcsl\u00fc npm paketleriyle Discord token’lar\u0131n\u0131 ve kredi kart\u0131 bilgilerini ele ge\u00e7irmeye \u00e7al\u0131\u015f\u0131yor.<\/p>\n","protected":false},"author":2632,"featured_media":10902,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1351],"tags":[1697,2369,2570,2571,1611],"class_list":{"0":"post-10901","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-banka-kartlari","9":"tag-discord","10":"tag-npm","11":"tag-parola-calan-yazilim","12":"tag-tedarik-zinciri"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/lofylife-malicious-packages-in-npm-repository\/10901\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/lofylife-malicious-packages-in-npm-repository\/24418\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/lofylife-malicious-packages-in-npm-repository\/19884\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/lofylife-malicious-packages-in-npm-repository\/26814\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/lofylife-malicious-packages-in-npm-repository\/24719\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/lofylife-malicious-packages-in-npm-repository\/25123\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/lofylife-malicious-packages-in-npm-repository\/27466\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/lofylife-malicious-packages-in-npm-repository\/33783\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/lofylife-malicious-packages-in-npm-repository\/45042\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/lofylife-malicious-packages-in-npm-repository\/19244\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/lofylife-malicious-packages-in-npm-repository\/19802\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/lofylife-malicious-packages-in-npm-repository\/29092\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/lofylife-malicious-packages-in-npm-repository\/25316\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/lofylife-malicious-packages-in-npm-repository\/30784\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/lofylife-malicious-packages-in-npm-repository\/30530\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/tedarik-zinciri\/","name":"tedarik zinciri"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10901","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2632"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=10901"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10901\/revisions"}],"predecessor-version":[{"id":10904,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10901\/revisions\/10904"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/10902"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=10901"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=10901"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=10901"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}