Critical supply-chain compromise detected in the npm package art-template (4.13.3–4.13.6), delivering the Coruna iOS exploit kit via account takeover. The attack targets iPhone users with a multi-stage payload exploiting CVE-2024-23222 (CVSS 8.8) and 22 other vulnerabilities, leading to native code execution and cryptocurrency wallet theft via PLASMAGRID.

In brief - A maintainer account takeover enabled malicious versions of the widely used art-template npm package to inject browser-based payloads. The attack chain delivers the Coruna exploit kit, exploiting iOS vulnerabilities (including CVE-2024-23222) to deploy PLASMAGRID, a cryptocurrency wallet stealer. Active C2 infrastructure and throwaway npm accounts highlight persistent supply chain risks.

Technically - Unauthorized modifications to template-web.js in art-template versions 4.13.3–4.13.6 appended code loading external scripts from v3.jiathis[.]com. The attack stages include Baidu Analytics tracking, iPhone-specific iframes, device fingerprinting, and delivery of the Coruna exploit kit (606KB, 14 modules). CVE-2024-23222 (JavaScriptCore type confusion) is exploited via WebAssembly type confusion and JIT heap spraying, bypassing ASLR through dyld shared cache parsing. ARM64 shellcode executes syscalls (ptrace, csops) for native code execution. PLASMAGRID targets wallets like MetaMask, with C2 (l1ewsu3yjkqeroy[.]xyz) fronted by Cloudflare. Throwaway npm accounts (v4v5qc, npmpacketmaintainmember7) and GitHub renames (aui → goofychris) maintained persistence.

Source: https://safedep.io/art-template-npm-supply-chain-compromise

#Cybersecurity #ThreatIntel