Listen to this Post
Introduction
The Yeshen-Asia campaign is a sophisticated software supply chain attack targeting NPM, leveraging malicious JavaScript packages to steal credentials and host data. This threat bypasses traditional security controls like EDR, SCA, and SAST, posing significant risks to organizations relying on open-source dependencies. Below, we dissect the attack and provide actionable defenses.
Learning Objectives
- Understand the mechanics of the Yeshen-Asia infostealer.
- Identify compromised packages using provided IOCs.
- Implement mitigations to prevent similar supply chain attacks.
1. Detecting Compromised NPM Packages
Command (Linux/Mac):
npm ls --depth=0 | grep -E "(package1|package2|package3)" Replace with IOCs from Safety's blog
Steps:
- Run the command to list installed NPM packages.
2. Cross-reference with IOCs (e.g., `[email protected]`).
3. Isolate and remove flagged packages immediately.
2. Analyzing Network Traffic for C2 Communication
Command (Windows):
Get-NetTCPConnection | Where-Object { $_.RemoteAddress -match "185.143.223." } Example C2 IP range
Steps:
- Execute in PowerShell to check active connections to known C2 domains.
- Block suspicious IPs via firewall rules (
New-NetFirewallRule -DisplayName "Block Yeshen-Asia C2" -RemoteAddress 185.143.223.0/24 -Action Block).
3. Hardening NPM Configurations
Command:
npm config set ignore-scripts true Disables automatic script execution
Steps:
1. Prevents malicious `postinstall` scripts from running.
2. Audit existing dependencies with `npm audit –production`.
4. EDR Bypass: How Yeshen-Asia Evades Detection
Code Snippet (JavaScript):
// Obfuscated payload example
const payload = Buffer.from("aGVsbG8=", "base64").toString();
eval(payload);
Mitigation:
- Deploy runtime protection tools (e.g., Falco) to monitor `eval()` usage.
- Enable SAST rules to flag base64 decoding + `eval()` patterns.
5. Cloud Hardening for CI/CD Pipelines
AWS CLI Command:
aws iam create-policy --policy-name "Deny-NPM-Install" --policy-document file://deny-npm.json
JSON Policy:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "npm install",
"Resource": ""
}]
}
Steps:
1. Restrict unauthorized `npm install` in CI/CD environments.
2. Use private registries like Artifactory with allowlisting.
What Undercode Say
- Key Takeaway 1: Supply chain attacks are shifting to native JS infostealers, rendering signature-based tools ineffective.
- Key Takeaway 2: Proactive measures like zero-trust npm policies and runtime monitoring are critical.
Analysis:
The Yeshen-Asia campaign underscores the need for layered defenses. While IOCs help reactively, organizations must adopt:
1. SBOM (Software Bill of Materials): Track dependencies in real-time.
2. Behavioral Analysis: Detect anomalous script execution.
- Vendor-Agnostic Threat Intel: Cross-reference IOCs across platforms like VirusTotal.
Prediction
Future attacks will likely abuse WASM or Web Workers for further evasion. Organizations investing in supply chain orchestration (e.g., Sigstore, in-toto) will gain resilience against such campaigns.
Reference: Safety Blog Post for full IOCs.
IT/Security Reporter URL:
Reported By: Safetycli Yeshen – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
