Two npm Packages Found to be Infected with Malware
Researchers from cybersecurity firm ReversingLabs have uncovered two code packages known as “nodejs-encrypt-agent” that were part of the well-known npm JavaScript library and registry, containing the TurkoRat malware, a type of information-stealing malware. The malicious packages attempted to impersonate a legitimate package called agent-base version 6.0.2 that has been downloaded more than 20 million times, indicating a growing trend of threat actors relying on typosquatting tactics to deceive organizations into unintentionally downloading malicious code.
The Red Flags in the Malicious Code Packages
ReversingLabs’ researchers noted several irregularities in the version numbers of the malware-infected code packages such as a strange version number (6.0.2) used to fool developers into downloading the latest release of the legitimate package. This strategy is referred to as “version staking,” and the malicious actors hoped that out of millions of developers, one of them would be enticed into downloading the malicious package instead of the benign one. Additionally, the nodejs-encrypt-agent closely resembled the agent-base module, with the exception of a malicious portable executable file that executed straight after the package was run using hidden malicious commands in the index.js file. The malware involved writing and deleting commands from Windows system directories, executing commands and manipulating Domain Name System settings.
Spotting Malicious npm Packages
There are several ways of spotting malicious packages. According to Lucija Valentić, a software threat researcher with ReversingLabs, manually inspecting the source code of the package repository is one of the easiest ways to detect malicious packages. Another option is to install and execute the package in an isolated environment and classifying any irregular behavior or content that is not advertised or expected. Also, before activating an external dependency to implement a feature, check to see if it’s simple to handle appropriately, as it may be better to avoid unverified code in a project than to use a library without checking its name and reputation and reviewing the code to ensure it’s the right library.
Impact of Malicious npm Packages
The malicious code packages, nodejs-encrypt-agent and nodejs-cookie-proxy-agent, recorded approximately 500 and fewer than 700 downloads in two months, respectively, raising concerns about how many systems the TurkoRat malware infected. The escalation of automated cyberattacks against npm, NuGet, and PyPI raises serious concerns regarding open-source software supply chains’ security. This trend is further intensified by threat actors exploiting automated processes to create packages and user accounts, making it difficult for security teams to identify and takedown malicious packages.
Protecting the Open-Source Software Supply Chain
The discovery of these malicious packages underscores the growing sophistication of threat actors and threats to open-source software supply chains. As such, tech companies such as Google are taking proactive measures to enhance security in the open-source software supply chain by offering solutions such as the deps.dev API, which provides developers with information about the packages they are thinking of using. Furthermore, Assured OSS permits organizations to include open-source packages used and secured by Google in their development workflows.
Conclusion
The discovery of malicious code packages in npm JavaScript library and registry, containing the TurkoRat malware, highlights how crucial it is to strengthen security measures in open-source software supply chains since these are becoming increasingly vulnerable to cyber-attacks. Organizations relying on open-source packages should regularly review their source codes to verify their authenticity and ensure that they are not using any outdated or compromised packages. Moreover, developers must exercise caution while introducing third-party code into their projects, and if necessary, use solutions that validate package authenticity. In addition, it’s essential to take advantage of security solutions from reputable companies like Google to minimize the risk of cyber-attacks.
<< photo by cottonbro studio >>
You might want to read !
- UK Pension Funds Among Victims of Capita Cyberattack
- “Collaboration and Cybercrime: RapperBot Crew Teams Up for DDoS/Cryptojacking Botnet”
- Cybercriminals Increase the Use of Social Engineering Techniques and Malware, According to Netskope Study
- Why the launch of OX-GPT is a significant advancement for AppSec?
- “The ChatGPT Security Risks: How Hackers Exploit the Platform for Malicious Ends”
- ActZero and UScellular Partner to Provide Mobile Devices Protection Against Ransomware Attacks
- Embedding Security by Design: A Shared Responsibility in Today’s Tech Landscape
- “Revolutionizing Software Distribution: Inside the New SBOM Hub for Transparency and Security”
- The Dual Life of a Sysadmin: From IT Professional to Cybercriminal Mastermind
- “Introducing a Revolutionary Cybersecurity Tool to Detect Vulnerabilities in Internet Traffic Software Components”
- AppSec Rising: Examining the Advancements and Challenges of Application Security
- “Building a Secure Future: 4 Principles for Developing Software in Today’s Landscape”
- “Adapt or Fall Behind: The Fast-Paced World of Constant API Updating” – Enterprise Strategy Group Research Findings
