Malware authors once again successfully introduced malicious libraries into npm


Automatique malware detection systems have once again reported several malicious packages hidden in the npm registry.

Passing off as legitimate Javascript libraries, the latest set of packages is launched cryptominers to the Windows, macOS, and Linux Machines.

“Once again, this particular discovery is further indication that developers are the new target of adversaries on the software they write,” written SonaType, noting that all packages were published by the same author.

SonaType researchers reported the malicious packages (named okhsa, klow, klown) to npm just hours after they were released, and they were no longer listed on the same day, causing little to no damage.

Unclear intentions

Attacks on public repositories such as JavaScript‘s npm, and PythonPyPIs are not new, but their intensity has increased late. In fact, a recent report concluded that the increase in supply chain attacks aiming upstream Open source Public repositories saw a whopping 650% year-over-year increase in 2021.

Npm is not immune to these infiltrations, and SonaType has previously shared that its automated systems have identified over 12,000 suspicious and malicious npm packages since 2019.

What’s interesting about these newly flagged (and subsequently removed) packages is that they didn’t use any of the usual ploys to trick developers into installing them.

“It is not clear how the author of these packages aims to target developers. There is no obvious sign observed that indicates a case of typosquatting or dependency abuse. “Klow (n)” impersonates the legitimate UAParser.js library on the surface, making this attack look like a weak attempt at trademark hijacking, “the researchers observe.

SonaType says it is now extending the detection capabilities of malware that captures packages in npm, to other ecosystems as well, such as PyPI.

Source link

Leave A Reply

Your email address will not be published.