08/28/2024-09/04/2024 Malicious npm Packages Mimicking ‘noblox.js’, Critical Fortra FileCatalyst Workflow Vulnerability, Critical Apache OFBiz Flaw And More.

1. Malicious npm Packages Mimicking ‘noblox.js’ Compromise Roblox Developers’ Systems

Roblox developers are being targeted by a campaign using fake npm packages to compromise systems, highlighting the ongoing exploitation of trust in the open-source ecosystem. Attackers mimic the popular “noblox.js” library, publishing malicious packages like noblox.js-proxy-server and noblox-ts to steal data and deliver malware, including the Luna Token Grabber and Quasar RAT. These packages are deceptively named, such as noblox.js-async and noblox.js-api, to appear legitimate. They use tactics like starjacking, linking to the real noblox.js repository. The malware steals Discord tokens, evades detection, and ensures persistence by altering Windows Registry settings. Developers must remain vigilant against these threats, as new malicious packages continue to surface.

2. North Korean Hackers Target Developers with Malicious npm Packages

A set of fake npm packages linked to North Korean state-sponsored actors has been uncovered, according to Phylum. The packages, including execution-time-async, data-time-utils, and mongodb-connection-utils, were designed to steal credentials and cryptocurrency. Execution-time-async, for example, mimics the legitimate execution-time library, which has over 27,000 weekly downloads. These packages, downloaded over 300 times before takedown, concealed malicious scripts within test files, targeting browsers like Chrome and Brave. Connections to North Korean actors emerged through obfuscated JavaScript resembling BeaverTail malware, linked to the Contagious Interview campaign, which targets developers through fake job interviews.

3. Critical Fortra FileCatalyst Workflow Vulnerability Patched (CVE-2024-6633)

Organizations using Fortra’s FileCatalyst Workflow should urgently upgrade to version 5.1.7 to patch two critical vulnerabilities. The first, CVE-2024-6633, involves static credentials for an internal HSQL database exposed in a vendor knowledge base article. Attackers exploiting this flaw can gain admin access to the Workflow web application by adding an admin-level user. The HSQL database, meant only for installation, is vulnerable if not replaced with a recommended alternative database.

The second flaw, CVE-2024-6632, is a SQL injection vulnerability that allows unauthorized modifications to the MySQL database during setup. Both vulnerabilities affect versions up to 5.1.6 and can only be resolved by upgrading.

4. CISA Flags Critical Apache OFBiz Flaw Amid Active Exploitation Reports

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Apache OFBiz vulnerability, CVE-2024-38856, to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. This flaw, with a CVSS score of 9.8, allows unauthenticated attackers to execute remote code via a Groovy payload.

Discovered as a patch bypass for CVE-2024-36104, it exploits a flaw in the override view functionality, exposing critical endpoints. Although specific details of its exploitation are scarce, proof-of-concept exploits are publicly available. Organizations are urged to update to version 18.12.15, with federal agencies required to apply updates by September 17, 2024.