A rise in the discovery of malicious software packages targeting system vulnerabilities has been reported by security researchers. According to a recent report released by Fortinet, analysis of threats observed since November 2024 shows a trend where attackers are employing lightweight and obfuscated packages to infiltrate systems without detection.
The research highlights various malicious software packages and the techniques used by attackers to avoid detection and compromise systems. These include packages with low file counts to minimize detection, install scripts silently deploying malicious code, lack of repository URLs to hinder tracing legitimacy, suspicious URLs linked to command-and-control servers, APIs used for data exfiltration, empty descriptions to hide true intent, and excessively high version numbers to mislead users.
Attackers have been increasingly using tactics like obfuscation, command overwrites, and typosquatting to bypass traditional defense mechanisms. Some malicious packages utilize suspicious install scripts with embedded API calls to transfer sensitive data to external servers, while others exploit missing metadata or repository URLs to escape scrutiny. Fortinet identified several high-risk packages, such as AffineQuant-99.6 (Python) which exfiltrated system data, seller-admin-common_6.5.8 (Node.js) which transmitted system details via a Discord webhook, and xeno.dll_1.0.2 (JavaScript) which deployed a keylogger and backdoor for remote access capturing sensitive information.
In response to these threats, FortiGuard Labs stressed the importance of not relying solely on static detection methods. Eric Schwake, director of cybersecurity strategy at Salt Security, emphasized the need for organizations to establish strong API discovery processes to gain complete visibility of their API environment, including shadow APIs that could be vulnerable to attacks. He also mentioned the significance of effective API posture governance to ensure secure development, deployment, and management following industry standards.
Jason Soroko, senior fellow at Sectigo, echoed Schwake’s sentiments by stating that lean and obfuscated packages easily bypass traditional security tools. He emphasized the need for conventional tools to adapt and detect subtle evasion techniques like command overwrites and typosquatting, while robust and adaptive defenses are crucial in verifying software legitimacy in the face of evolving threats.
Organizations are advised to implement proactive security measures such as regular vulnerability scans, stringent API governance, and advanced threat monitoring tools to effectively combat emerging cyber threats. In a world where cyber threats are constantly evolving, it is imperative for organizations to stay ahead of malicious actors by staying vigilant and continuously improving their security posture.
For more information on API-related threats, you can refer to the article: “AI Surge Drives Record 1205% Increase in API Vulnerabilities” at infosecurity-magazine.com.