Malicious NPM packages are part of a malware "barrage" hitting repositories:
Researchers have found another 17 malicious packages in an open source repository, as the use of such repositories to spread malware continues to flourish.
This time, the malicious code was found in NPM, where 11 million developers trade more than 1 million packages among each other. Many of the 17 malicious packages appear to have been spread by different threat actors who used varying techniques and amounts of effort to trick developers into downloading malicious wares instead of the benign ones intended.
This latest discovery continues a trend first spotted a few years ago, in which miscreants sneak information stealers, keyloggers, or other types of malware into packages available in NPM, RubyGems, PyPi, or another repository. In many cases, the malicious package has a name that's a single letter different than a legitimate package. Often, the malicious package includes the same code and functionality as the package being impersonated and adds concealed code that carries out additional nefarious actions.
"We are witnessing a recent barrage of malicious software hosted and delivered through open-source software repositories," JFrog researchers Andrey Polkovnychenko and Shachar Menashe wrote on Wednesday. "Public repositories have become a handy instrument for malware distribution: the repository's server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the npm client, provides a ripe attack vector."
Recently: Malware Downloaded from PyPI 41,000 Times Was Surprisingly Stealthy
Related Stories
Malware downloaded from PyPI 41,000 times was surprisingly stealthy:
PyPI—the open source repository that both large and small organizations use to download code libraries—was hosting 11 malicious packages that were downloaded more than 41,000 times in one of the latest reported such incidents threatening the software supply chain.
JFrog, a security firm that monitors PyPI and other repositories for malware, said the packages are notable for the lengths its developers took to camouflage their malicious code from network detection. Those lengths include a novel mechanism that uses what's known as a reverse shell to proxy communications with control servers through the Fastly content distribution network. Another technique is DNS tunneling, something that JFrog said it had never seen before in malicious software uploaded to PyPI.
"Package managers are a growing and powerful vector for the unintentional installation of malicious code, and as we discovered with these 11 new PyPI packages, attackers are getting more sophisticated in their approach, Shachar Menashe, senior director of JFrog research, wrote in an email. "The advanced evasion techniques used in these malware packages, such as novel exfiltration or even DNS tunneling (the first we've seen in packages uploaded to PyPI) signal a disturbing trend that attackers are becoming stealthier in their attacks on open source software."
The researchers said that PyPI quickly removed all malicious packages once JFrog reported them.
Researchers have determined that two fake AWS packages downloaded hundreds of times from the open source NPM JavaScript repository contained carefully concealed code that backdoored developers' computers when executed.
The packages—img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy—were attempts to appear as aws-s3-object-multipart-copy, a legitimate JavaScript library for copying files using Amazon's S3 cloud service. The fake files included all the code found in the legitimate library but added an additional JavaScript file named loadformat.js.
[...] "We have reported these packages for removal, however the malicious packages remained available on npm for nearly two days," researchers from Phylum, the security firm that spotted the packages, wrote. "This is worrying as it implies that most systems are unable to detect and promptly report on these packages, leaving developers vulnerable to attack for longer periods of time."
[...] In the past 17 months, threat actors backed by the North Korean government have targeted developers twice, one of those using a zero-day vulnerability.
Phylum researchers provided a deep-dive analysis of how the concealment worked
[...]
One of the most innovative methods in recent memory for concealing an open source backdoor was discovered in March, just weeks before it was to be included in a production release of the XZ Utils[...] The person or group responsible spent years working on the backdoor. Besides the sophistication of the concealment method, the entity devoted large amounts of time to producing high-quality code for open source projects in a successful effort to build trust with other developers.
In May, Phylum disrupted a separate campaign that backdoored a package available in PyPI that also used steganography, a technique that embeds secret code into images.
"In the last few years, we've seen a dramatic rise in the sophistication and volume of malicious packages published to open source ecosystems," Phylum researchers wrote. "Make no mistake, these attacks are successful. It is absolutely imperative that developers and security organizations alike are keenly aware of this fact and are deeply vigilant with regard to open source libraries they consume."
Related stories on SoylentNews:
Trojanized jQuery Packages Found on Npm, GitHub, and jsDelivr Code Repositories - 20240713
48 Malicious Npm Packages Found Deploying Reverse Shells on Developer Systems - 20231104
Open-Source Security: It's Too Easy to Upload 'Devastating' Malicious Packages, Warns Google - 20220504
Dev Corrupts NPM Libs 'Colors' and 'Faker' Breaking Thousands of Apps - 20220111
Malicious NPM Packages are Part of a Malware "Barrage" Hitting Repositories - 20211213
Heavily Used Node.js Package Has a Code Injection Vulnerability - 20210227
Discord-Stealing Malware Invades NPM Packages - 20210124
Here's how NPM Plans to Improve Security and Reliability in 2019 - 20181217
NPM Fails Worldwide With "ERR! 418 I'm a Teapot" Error - 20180530
Backdoored Python Library Caught Stealing SSH Credentials - 20180511
(Score: 2) by drussell on Monday December 13 2021, @07:17PM (12 children)
WTF is NPM?
(Score: 4, Informative) by janrinok on Monday December 13 2021, @07:18PM
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 2, Informative) by Anonymous Coward on Monday December 13 2021, @07:28PM (3 children)
A Microsoft product.
(Score: 2) by Runaway1956 on Monday December 13 2021, @09:12PM (1 child)
That's only half the story. It's javascript. Javascript by Microsoft.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 2) by Reziac on Tuesday December 14 2021, @02:27AM
Wiki sayeth...
The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious.[19] Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure, or malicious.[21]
And there is no Alkibiades to come back and save us from ourselves.
(Score: 0) by Anonymous Coward on Tuesday December 14 2021, @01:40PM
To be pedantic, it was an independent product that Microsoft acquired. Why write your own garbage software when you can just wait for someone else to write it, then buy it?
(Score: 2, Informative) by Anonymous Coward on Monday December 13 2021, @08:35PM
A highly-buzzword malware vector.
(Score: 1, Funny) by Anonymous Coward on Monday December 13 2021, @08:38PM (2 children)
A millennial programmer's wet dream.
(Score: 1, Insightful) by Anonymous Coward on Tuesday December 14 2021, @12:53AM
As a millenial programmer I am here to say I hate NPM.
Even assuming it wasn't a malware delivery nightmare the versioning issues that are supposed to be made easy are frequently a giant pain in the ass. If you aren't constantly maintaining your project you'll find that package updates can break your project, force you to find alternatives, or WORST OF ALL dependencies get removed and you spend way more time trying to figure out replacements.
(Score: 0) by Anonymous Coward on Tuesday December 14 2021, @03:22AM
They seem to be every programmer's wet dream since the idea of software repositories is older than millennials.
(Score: 2) by Freeman on Monday December 13 2021, @08:59PM (1 child)
The reason DannyB is the way he is, considering his association with the Java language.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 1, Funny) by Anonymous Coward on Tuesday December 14 2021, @03:43AM
Even though DannyB is a Maven at Java, that doesn't change that Java != JavaScript and that JavaScript !== Java.
(Score: 2) by isostatic on Tuesday December 14 2021, @03:14PM
It stands for New Propagation of Malware
(Score: 2) by Mykl on Monday December 13 2021, @08:21PM (2 children)
Frankly, I'm amazed that it took this long for threat actors to come up with this approach. The Open Source movement, by definition, has struggled with 'credentialing' developers and packages (it's hard enough even in a walled garden), meaning it's fallen upon the rest of the community to spot the few bad actors in their midst.
We're all one typo away from being pwned.
(Score: 4, Interesting) by Thexalon on Monday December 13 2021, @08:41PM (1 child)
"I'm not paying you to sit there reading other people's code!" - Every developer's manager, everywhere, in every organization.
That's why actually reading through library code to check it for maliciousness doesn't happen, which makes it really really easy to sneak malicious stuff into a library. Oh, and even if your developer organization bans including random libraries from the Internet, it will happen, because some dev will want to save time and avoid re-inventing the wheel and will instead pull stuff in from a library, even if they're not supposed to.
While it's true that many eyeballs make bugs shallower, a lot of stuff really doesn't get the number of eyeballs it should based on the importance it has in a system.
Vote for Pedro
(Score: 3, Interesting) by FatPhil on Tuesday December 14 2021, @12:13AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Interesting) by VLM on Monday December 13 2021, @09:24PM
I have to say 17 is a pretty small "barrage"
My personal experience with uploading npm packages is they whitelist and you need to open a trouble ticket and ask pretty please every time you upload a new package.
The namespace is crowded and I've seen some pretty weird names. I would guess in the long run instead of names you'll specify some kind of path-of-trust. No matter how elaborate you make the signing mechanism and processing, Debian is a kind of extreme example, you'll still have people randomly installing any old stuff they see online. "Oh look a npm that claims to install comet cursor, I needs me that" and then they get powned.
(Score: 2) by bradley13 on Monday December 13 2021, @10:03PM (8 children)
Include random libraries, rather than writing your own code. If course, those libraries load other libraries, which in turn load more libraries. So your little web page winds up downloading 5MB of crap, in order to parse an email address...
Everyone is somebody else's weirdo.
(Score: 2) by vux984 on Monday December 13 2021, @11:15PM (2 children)
On the other hand a popular library probably does it right. I've been on WAY too many websites that rejected a perfectly valid email address because it was written by someone who thought they were smart enough but wasn't.
And I'm not even talking about those fun obscure cases. I'm talking pretty basic stuff like rejecting an underscore or hyphen in the name, or rejecting valid TLDs like .edu, or even rejecting addresses with more than 2 subdomains (e.g. rejecting example@sub.domain.co.uk), or rejecting a domain name that is numerical, like someone@777.com
(Score: 2) by Reziac on Tuesday December 14 2021, @02:34AM
I have an earthlink.net addy I've had since forever. It STILL gets rejected by the odd stupid form, even tho at one time it was the second most common email domain and you'd think after 27 years they'd have figured it out, but apparently not.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 0) by Anonymous Coward on Tuesday December 14 2021, @01:49PM
The hard task is finding third party libraries with stable APIs and zero transitive dependencies. Those are about as common as unicorns.
(Score: 1, Informative) by Anonymous Coward on Tuesday December 14 2021, @04:55AM (4 children)
Fools. Everybody knows that a regex is the best way to parse email addresses.
(Score: 0) by Anonymous Coward on Tuesday December 14 2021, @08:26AM (1 child)
(Score: 1, Touché) by Anonymous Coward on Tuesday December 14 2021, @09:48AM
If you are going to steal a regex from stack overflow, you might as well copy one that actually follows the specification.
(Score: 0) by Anonymous Coward on Tuesday December 14 2021, @01:51PM (1 child)
You can write sane complex regexes if you use named capture groups. Damian Conway has some videos on it.
(Score: 1, Interesting) by Anonymous Coward on Tuesday December 14 2021, @11:20PM
In addition to named groups, I like to build complex regular expressions explicitly from simpler ones using string formatting out of its component parts. To use an example leaving out the named groups, start with
Now you see that requires a local-part and a domain. So you add those
And you keep going until you build your regular expression. The nice thing about it is that it can make it much easier to go back and see what is going on. Another benefit is that modern "regex" engines support context-sensitive grammars which can be harder to reason about with named groups alone. Finally, you can use language features that can be clearer with long lists of disjuncts, highly-nested definitions, or more performant by building prefix trees and other harder to grasp structures as you go.