Search for an article

Select a plan

Choose a plan from below, subscribe, and get access to our exclusive articles!

Monthly plan

$
13
$
0
billed monthly

Yearly plan

$
100
$
0
billed yearly

All plans include

  • Donec sagittis elementum
  • Cras tempor massa
  • Mauris eget nulla ut
  • Maecenas nec mollis
  • Donec feugiat rhoncus
  • Sed tristique laoreet
  • Fusce luctus quis urna
  • In eu nulla vehicula
  • Duis eu luctus metus
  • Maecenas consectetur
  • Vivamus mauris purus
  • Aenean neque ipsum
Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

HomeCII/OTOnce Again, Malware Found Concealed in npm

Once Again, Malware Found Concealed in npm

Published on

spot_img

Recent investigations by ReversingLabs have uncovered two code packages named “nodejs-encrypt-agent” in the npm JavaScript library and registry that contained the open-source TurkoRat malware. Threat actors behind the code packages attempted to impersonate another legitimate package, the agent-base version 6.0.2 that has been downloaded over 20 million times. The packages contained irregularities in the package version numbers, and attackers used a “strangely high version number” of 6.0.2 to bait developers into downloading what appeared to be the latest release of the package.

ReversingLabs researchers have labeled the findings a growing trend of threat actors taking advantage of certain types of typosquatting, potentially leading enterprises to inadvertently download malware. According to a recent report by Checkmarx, half of npm packages are vulnerable to old-school weapon, the shift key, where attackers use misspellings, punctuation errors, and substituted characters. The report highlights how a lack of accountability for certain types of typosquatting can lead to inadvertent malware downloads.

The malicious TurkoRat malware package utilized the npm package “pkg” to bundle files into a single executable, with the files stored in a virtual file system accessible during runtime. The nodejs-encrypt-agent contained a malicious portable executable (PE) file, which executed right after the package was run, using hidden malicious commands in the index.js file. The malicious behaviors reportedly included writing and deleting from Windows system directories, executing commands, and tampering with DNS settings.

While the TurkoRat package has been removed from the npm library, the nodejs-encrypt-agent was downloaded approximately 500 times in two months, and nodejs-cookie-proxy-agent had fewer than 700 downloads. The malicious packages were almost certainly responsible for the malicious TurkoRat being run on unknown developers’ machines. The long-term impact of the compromise is still difficult to measure.

The escalation of automated cyberattacks against npm, NuGet, and PyPI underscores the growing sophistication of threat actors and threats against open-source software supply chains. Attackers use automated processes to create the packages and user accounts, making it hard for security teams to take them down. In March, over a dozen components in the .NET code repository were impersonating legitimate software, such as Coinbase and Microsoft ASP.NET, and running a malicious script upon installation, with no warning or alert.

In July 2022, analysts with ReversingLabs uncovered a widespread campaign that used over 24 malicious npm packages loaded with JavaScript obfuscators to steal form data from multiple sites and apps. Tech giants, including Google, are taking steps to shore up security in the open-source software supply chain through deps.dev API, which helps developers with information about the packages they are thinking of using, and Assured OSS, which lets organizations incorporate the same open-source packages Google secures and uses into their developer workflows.

Lucija Valentić, software threat researcher with ReversingLabs, explains that there are many ways to identify malicious packages. She suggests inspecting the source code manually, installing and executing packages in an isolated environment, and double-checking and verifying anything out-of-place or unexpected, such as non-network-related packages sending network requests. She also recommends checking if an external dependency needs implementing to execute a particular function. If it’s something simple, it might better handle it yourself than introducing unverified code into your project. If you need to use a library, review the code to ensure you are using the correct one based on the name and reputation.

Enterprises that rely on open-source software components in their systems are finding themselves increasingly vulnerable to supply chain attacks. As these attacks continue to grow in sophistication, the need for effective supply chain security measures is becoming more critical than ever before. It is imperative that organizations take necessary precautions, such as using trusted open-source software components, implementing comprehensive scanning and monitoring of third-party code, and educating their development teams about the latest threats and best practices in security.

Source link

Latest articles

LockBit Developer Rostislav Panev Extradited from Israel to the United States

The recent extradition of Rostislav Panev from Israel to the United States has sent...

UK ICO Issues Strong Warning About Use of Children’s Data Under GDPR

The UK’s data protection watchdog, the Information Commissioner's Office (ICO), has issued a stern...

Payment with EC cards not accepted at Spar stores

The cyber attack on Spar and its TopCC stores left customers unable to pay...

DeepSeek R1 Jailbreaked for Malicious Purposes, Developing Keyloggers and Ransomware

The rise in the usage of generative artificial intelligence (GenAI) tools like OpenAI's ChatGPT...

More like this

LockBit Developer Rostislav Panev Extradited from Israel to the United States

The recent extradition of Rostislav Panev from Israel to the United States has sent...

UK ICO Issues Strong Warning About Use of Children’s Data Under GDPR

The UK’s data protection watchdog, the Information Commissioner's Office (ICO), has issued a stern...

Payment with EC cards not accepted at Spar stores

The cyber attack on Spar and its TopCC stores left customers unable to pay...