{"id":10547,"date":"2025-10-13T13:28:52","date_gmt":"2025-10-13T06:28:52","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10547"},"modified":"2026-02-05T13:28:59","modified_gmt":"2026-02-05T06:28:59","slug":"175-goi-npm-doc-hai-bi-loi-dung-trong-chien-dich-lua-dao-beamglea","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/10\/13\/175-goi-npm-doc-hai-bi-loi-dung-trong-chien-dich-lua-dao-beamglea\/","title":{"rendered":"175 g\u00f3i npm \u0111\u1ed9c h\u1ea1i b\u1ecb l\u1ee3i d\u1ee5ng trong chi\u1ebfn d\u1ecbch l\u1eeba \u0111\u1ea3o Beamglea"},"content":{"rendered":"

Trong khi c\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n v\u1eabn \u0111ang ph\u1ee5 thu\u1ed9c v\u00e0o kho th\u01b0 vi\u1ec7n m\u00e3 ngu\u1ed3n m\u1edf nh\u01b0 npm \u0111\u1ec3 ti\u1ebft ki\u1ec7m th\u1eddi gian l\u1eadp tr\u00ecnh, th\u00ec gi\u1edbi t\u1ed9i ph\u1ea1m m\u1ea1ng l\u1ea1i t\u00ecm ra c\u00e1ch m\u1edbi \u0111\u1ec3 bi\u1ebfn ch\u00ednh n\u1ec1n t\u1ea3ng n\u00e0y th\u00e0nh h\u1ea1 t\u1ea7ng ph\u00e1t t\u00e1n phishing. M\u1ed9t chi\u1ebfn d\u1ecbch tinh vi mang t\u00ean Beamglea v\u1eeba b\u1ecb c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u an ninh m\u1ea1ng ph\u00e1t hi\u1ec7n, cho th\u1ea5y 175 g\u00f3i npm \u0111\u1ed9c h\u1ea1i \u0111\u00e3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 ph\u1ee5c v\u1ee5 cho chi\u1ebfn d\u1ecbch \u0111\u00e1nh c\u1eafp t\u00e0i kho\u1ea3n Microsoft quy m\u00f4 to\u00e0n c\u1ea7u.<\/b><\/p>\n

\"1760338168995.png\"<\/a>\u200b<\/div>\n

Theo b\u00e1o c\u00e1o, c\u00e1c g\u00f3i npm \u0111\u1ed9c h\u1ea1i n\u00e0y \u0111\u00e3 \u0111\u01b0\u1ee3c t\u1ea3i xu\u1ed1ng h\u01a1n 26.000 l\u1ea7n v\u00e0 ph\u1ea7n l\u1edbn l\u00e0 do c\u00e1c nh\u00e0 ph\u00e2n t\u00edch b\u1ea3o m\u1eadt, h\u1ec7 th\u1ed1ng qu\u00e9t t\u1ef1 \u0111\u1ed9ng ho\u1eb7c CDN ki\u1ec3m tra sau khi c\u00f3 c\u1ea3nh b\u00e1o. Tuy v\u1eady, \u0111i\u1ec1u \u0111\u00e1ng lo ng\u1ea1i l\u00e0 c\u00e1c g\u00f3i n\u00e0y kh\u00f4ng ho\u1ea1t \u0111\u1ed9ng theo c\u00e1ch \u201ctruy\u1ec1n th\u1ed1ng\u201d c\u1ee7a m\u00e3 \u0111\u1ed9c, ch\u00fang kh\u00f4ng t\u1ea5n c\u00f4ng khi \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t, m\u00e0 l\u1ee3i d\u1ee5ng h\u1ea1 t\u1ea7ng h\u1ee3p ph\u00e1p c\u1ee7a npm v\u00e0 UNPKG (m\u1ed9t d\u1ecbch v\u1ee5 CDN c\u00f4ng khai) \u0111\u1ec3 l\u01b0u tr\u1eef v\u00e0 chuy\u1ec3n h\u01b0\u1edbng n\u1ea1n nh\u00e2n \u0111\u1ebfn trang l\u1eeba \u0111\u1ea3o.<\/p>\n

Chi\u1ebfn d\u1ecbch nh\u1eafm v\u00e0o h\u01a1n 135 c\u00f4ng ty trong l\u0129nh v\u1ef1c c\u00f4ng nghi\u1ec7p, c\u00f4ng ngh\u1ec7 v\u00e0 n\u0103ng l\u01b0\u1ee3ng tr\u00ean to\u00e0n c\u1ea7u. Nh\u00e0 nghi\u00ean c\u1ee9u Kush Pandya cho bi\u1ebft: \u201cNpm \u0111ang b\u1ecb bi\u1ebfn th\u00e0nh h\u1ea1 t\u1ea7ng v\u00f4 t\u00ecnh ph\u1ee5c v\u1ee5 t\u1ed9i ph\u1ea1m m\u1ea1ng ch\u1ee9 kh\u00f4ng ph\u1ea3i l\u00e0 c\u00f4ng c\u1ee5 t\u1ea5n c\u00f4ng tr\u1ef1c ti\u1ebfp.\u201d<\/p>\n

C\u00e1c g\u00f3i npm trong chi\u1ebfn d\u1ecbch Beamglea \u0111\u01b0\u1ee3c t\u1ea1o t\u1ef1 \u0111\u1ed9ng b\u1eb1ng m\u1ed9t \u0111o\u1ea1n m\u00e3 Python c\u00f3 t\u00ean “redirect_generator.py”. Script n\u00e0y t\u1ea1o ra c\u00e1c package ng\u1eabu nhi\u00ean c\u00f3 t\u00ean nh\u01b0 \u201credirect-xxxxxx\u201d, sau \u0111\u00f3 ch\u00e8n \u0111\u1ecba ch\u1ec9 email c\u1ee7a n\u1ea1n nh\u00e2n v\u00e0 \u0111\u01b0\u1eddng d\u1eabn trang phishing v\u00e0o trong m\u00e3 ngu\u1ed3n.<\/p>\n

Khi g\u00f3i n\u00e0y \u0111\u01b0\u1ee3c xu\u1ea5t b\u1ea3n l\u00ean npm, n\u00f3 s\u1ebd t\u1ea1o ra m\u1ed9t t\u1ec7p HTML ch\u1ee9a li\u00ean k\u1ebft \u0111\u1ebfn m\u00e3 JavaScript \u0111\u1ed9c h\u1ea1i l\u01b0u tr\u00ean CDN c\u1ee7a unpkg.com (v\u00ed d\u1ee5: Unpkg.com\/redirect-xs13nr@1.0.0\/beamglea.js). Khi ng\u01b0\u1eddi nh\u1eadn m\u1edf t\u1ec7p HTML n\u00e0y trong tr\u00ecnh duy\u1ec7t, JavaScript s\u1ebd t\u1ef1 \u0111\u1ed9ng chuy\u1ec3n h\u01b0\u1edbng h\u1ecd \u0111\u1ebfn trang \u0111\u0103ng nh\u1eadp Microsoft gi\u1ea3 m\u1ea1o.<\/p>\n

\u0110i\u1ec3m tinh vi l\u00e0 email c\u1ee7a n\u1ea1n nh\u00e2n \u0111\u01b0\u1ee3c truy\u1ec1n s\u1eb5n tr\u00ean URL, khi\u1ebfn tr\u01b0\u1eddng \u0111\u0103ng nh\u1eadp trong trang phishing \u0111\u01b0\u1ee3c t\u1ef1 \u0111\u1ed9ng \u0111i\u1ec1n s\u1eb5n, t\u1ea1o c\u1ea3m gi\u00e1c nh\u01b0 m\u1ed9t c\u1ed5ng \u0111\u0103ng nh\u1eadp h\u1ee3p ph\u00e1p m\u00e0 ng\u01b0\u1eddi d\u00f9ng t\u1eebng truy c\u1eadp. Ch\u00ednh y\u1ebfu t\u1ed1 n\u00e0y gi\u1ea3m \u0111\u00e1ng k\u1ec3 s\u1ef1 nghi ng\u1edd v\u00e0 t\u0103ng t\u1ef7 l\u1ec7 th\u00e0nh c\u00f4ng c\u1ee7a cu\u1ed9c t\u1ea5n c\u00f4ng.<\/p>\n

C\u00e1c t\u1ec7p HTML \u0111\u01b0\u1ee3c ng\u1ee5y trang r\u1ea5t k\u1ef9 l\u01b0\u1ee1ng, ch\u00fang mang t\u00ean \u0111\u01a1n h\u00e0ng, t\u00e0i li\u1ec7u k\u1ef9 thu\u1eadt, d\u1ef1 \u00e1n h\u1ee3p t\u00e1c, v.v., khi\u1ebfn n\u1ea1n nh\u00e2n d\u1ec5 tin r\u1eb1ng \u0111\u00e2y l\u00e0 t\u1ec7p n\u1ed9i b\u1ed9 c\u1ea7n xem. Socket cho bi\u1ebft \u0111\u00e3 ph\u00e1t hi\u1ec7n h\u01a1n 630 t\u1ec7p HTML nh\u01b0 v\u1eady trong c\u00e1c g\u00f3i npm b\u1ecb l\u1ee3i d\u1ee5ng.<\/p>\n

\u0110i\u1ec1u nguy hi\u1ec3m \u1edf Beamglea n\u1eb1m \u1edf ch\u1ed7 t\u1ed9i ph\u1ea1m m\u1ea1ng kh\u00f4ng c\u1ea7n d\u1ef1ng m\u00e1y ch\u1ee7 ri\u00eang hay thu\u00ea d\u1ecbch v\u1ee5 \u0111\u1ed9c h\u1ea1i. Ch\u00fang d\u1ef1a v\u00e0o ch\u00ednh h\u1ea1 t\u1ea7ng \u0111\u00e1ng tin c\u1eady nh\u01b0 npm v\u00e0 UNPKG \u0111\u1ec3 ph\u00e1t t\u00e1n n\u1ed9i dung. C\u00e1ch l\u00e0m n\u00e0y s\u1ebd:<\/p>\n