Recent investigations by ReversingLabs have uncovered two code packages named “nodejs-encrypt-agent” in the npm JavaScript library and registry that contained the open-source TurkoRat malware. Threat actors behind the code packages attempted to impersonate another legitimate package, the agent-base version 6.0.2 that has been downloaded over 20 million times. The packages contained irregularities in the package version numbers, and attackers used a “strangely high version number” of 6.0.2 to bait developers into downloading what appeared to be the latest release of the package.
ReversingLabs researchers have labeled the findings a growing trend of threat actors taking advantage of certain types of typosquatting, potentially leading enterprises to inadvertently download malware. According to a recent report by Checkmarx, half of npm packages are vulnerable to old-school weapon, the shift key, where attackers use misspellings, punctuation errors, and substituted characters. The report highlights how a lack of accountability for certain types of typosquatting can lead to inadvertent malware downloads.
The malicious TurkoRat malware package utilized the npm package “pkg” to bundle files into a single executable, with the files stored in a virtual file system accessible during runtime. The nodejs-encrypt-agent contained a malicious portable executable (PE) file, which executed right after the package was run, using hidden malicious commands in the index.js file. The malicious behaviors reportedly included writing and deleting from Windows system directories, executing commands, and tampering with DNS settings.
While the TurkoRat package has been removed from the npm library, the nodejs-encrypt-agent was downloaded approximately 500 times in two months, and nodejs-cookie-proxy-agent had fewer than 700 downloads. The malicious packages were almost certainly responsible for the malicious TurkoRat being run on unknown developers’ machines. The long-term impact of the compromise is still difficult to measure.
The escalation of automated cyberattacks against npm, NuGet, and PyPI underscores the growing sophistication of threat actors and threats against open-source software supply chains. Attackers use automated processes to create the packages and user accounts, making it hard for security teams to take them down. In March, over a dozen components in the .NET code repository were impersonating legitimate software, such as Coinbase and Microsoft ASP.NET, and running a malicious script upon installation, with no warning or alert.
In July 2022, analysts with ReversingLabs uncovered a widespread campaign that used over 24 malicious npm packages loaded with JavaScript obfuscators to steal form data from multiple sites and apps. Tech giants, including Google, are taking steps to shore up security in the open-source software supply chain through deps.dev API, which helps developers with information about the packages they are thinking of using, and Assured OSS, which lets organizations incorporate the same open-source packages Google secures and uses into their developer workflows.
Lucija Valentić, software threat researcher with ReversingLabs, explains that there are many ways to identify malicious packages. She suggests inspecting the source code manually, installing and executing packages in an isolated environment, and double-checking and verifying anything out-of-place or unexpected, such as non-network-related packages sending network requests. She also recommends checking if an external dependency needs implementing to execute a particular function. If it’s something simple, it might better handle it yourself than introducing unverified code into your project. If you need to use a library, review the code to ensure you are using the correct one based on the name and reputation.
Enterprises that rely on open-source software components in their systems are finding themselves increasingly vulnerable to supply chain attacks. As these attacks continue to grow in sophistication, the need for effective supply chain security measures is becoming more critical than ever before. It is imperative that organizations take necessary precautions, such as using trusted open-source software components, implementing comprehensive scanning and monitoring of third-party code, and educating their development teams about the latest threats and best practices in security.