More Repo Issues as Malware Found in NPM Node.js Packages

Popular open-source repository NPM is back in the news as a pair of packages were found to have malware in them. The malware in question is TurkoRat. TurkoRat is an open-source information stealer that has a few features attached to it. Among some of the components are things like a wallet grabber (wallets.js) which seems geared towards stealing crypto currency. Other components are ones you would expect from an InforStealer like credential theft etc. The package was found by ReversingLabs after it had been in place for two months.

The attackers that left these packages behind used the ever-popular Typo squatting to get their malicious packages into the hands of unwary developers. The two packages in question are nodejs-encrypt-agent and nodejs-cookie-proxy-agent. At the time of removal, they had a combined download of around 1,200. Nodejs-encrypt-agent looks like it was trying to pretend to be a legitimate NPM package called agent-base. The attackers did this by linking the github page of agent-base and changing the file name in the readme.md file. There was also the matter of the version number which, while matching the version of agent-base, was not right for a package that had only been published two months ago. All are clear red flags that something is not right and lead to a much deeper look at this file.

Once the researchers had the package in hand it was clear that it was not above board. Inside the package was a portable executable (PE) file. The PE file is executed right after installation via commands that are embedded in the index.js file. The PE file was well crafted with sandbox evasion and other methods to avoid detection through direct analysis. After a detailed analysis it was determined that the file was indeed TurkoRat through a comparison of the JavaScript files to the GitHub repo for the open source “Testing” info stealer.

The incident when combined with others targeting Microsoft’s VSCode marketplace and PyPI show that attackers are looking to compromise development systems as part of software supply chain attacks. Popular repositories are at risk not only because they are often trusted, but because there are, in many cases, few restrictions on naming, versioning, etc. It makes these environments open to malicious activity and “poisoning the well” campaigns. In NPM it has been discovered that there is no case sensitive restrictions on package names. If a legitimate package is called bob-package, someone can make a malicious one called Bob-Package with no restrictions. Attackers can then mimic the version, readme file, and even a link to GitHub to fool someone into thinking their malicious package is the real one very easily. It is more than a little concerning especially given the reliance on open-source packages like Node.js in development. Happy coding.

No comments

Leave your comment

In reply to Some User