Malware authors once again successfully introduced malicious libraries into npm
Automatique malware detection systems have once again reported several malicious packages hidden in the npm registry.
“Once again, this particular discovery is further indication that developers are the new target of adversaries on the software they write,” written SonaType, noting that all packages were published by the same author.
SonaType researchers reported the malicious packages (named okhsa, klow, klown) to npm just hours after they were released, and they were no longer listed on the same day, causing little to no damage.
Npm is not immune to these infiltrations, and SonaType has previously shared that its automated systems have identified over 12,000 suspicious and malicious npm packages since 2019.
What’s interesting about these newly flagged (and subsequently removed) packages is that they didn’t use any of the usual ploys to trick developers into installing them.
“It is not clear how the author of these packages aims to target developers. There is no obvious sign observed that indicates a case of typosquatting or dependency abuse. “Klow (n)” impersonates the legitimate UAParser.js library on the surface, making this attack look like a weak attempt at trademark hijacking, “the researchers observe.
SonaType says it is now extending the detection capabilities of malware that captures packages in npm, to other ecosystems as well, such as PyPI.