[turtle]

SYSJOKER — Backdoor for Windows, macOS, and Linux went undetected until now
Ouch.

Quote:

Researchers have uncovered a never-before-seen backdoor written from scratch for systems running Windows, macOS, or Linux that remained undetected by virtually all malware scanning engines. ... Analyses of the Windows version (by Intezer) and the version for Macs (by researcher Patrick Wardle) found that SysJoker provides advanced backdoor capabilities. Executable files for both the Windows and macOS versions had the suffix .ts. Intezer said that may be an indication the file masqueraded as a type script app spread after being sneaked into the npm JavaScript repository. Intezer went on to say that SysJoker masquerades as a system update.

Once again, a repo is the attack vector. This is going to make trusting formerly "safe" repos a concern for all.

Quote:

SysJoker is written in C++, and as of Tuesday, the Linux and macOS versions were fully undetected on the VirusTotal malware search engine. The backdoor generates its control-server domain by decoding a string retrieved from a text file hosted on Google Drive. During the time the researchers were analyzing it, the server changed three times, indicating the attacker was active and monitoring for infected machines.

Actively changing updates on the Google Drive is bad. I'm looking forward to seeing how to pinpoint this one. I would hate for my stuff to be impacted. While I don't use npm much, I'm near positive HomeBridge does and I use it for my HomeKit setup, among other things.