Detection of Malware Packages in Open Source Registries
/ 3 min read
Quick take - On October 31, 2024, a detection platform uncovered a typosquatting campaign involving 287 malware packages targeting developers of popular libraries, which utilized deceptive techniques to compromise systems and collect sensitive information.
Fast Facts
- A typosquatting campaign targeting developers was identified on October 31, 2024, involving 287 malware packages in open source registries, particularly affecting libraries like Puppeteer and Bignum.js.
- The initial malware package, published to npm, included a postinstall hook that executed a non-existent file, while subsequent packages contained obfuscated JavaScript that exhibited typical malware behaviors.
- The malicious code interacts with Ethereum smart contracts to retrieve IP addresses and construct download URLs, indicating sophisticated deception tactics.
- The malware collects system information (GPU, CPU, memory usage, etc.) and transmits it to the attacker’s server, aiming to compromise developers’ systems through typosquatted packages.
- The ongoing campaign reflects an evolving threat in supply chain attacks, emphasizing the need for increased vigilance in the software development community.
Detection of Suspicious Packages in Open Source Registries
On October 31, 2024, a detection platform identified a series of suspicious packages within open source registries. This marked the emergence of a typosquatting campaign aimed at developers utilizing libraries such as Puppeteer, Bignum.js, and various cryptocurrency tools. In total, 287 malware packages have been detected as part of this ongoing initiative. This follows a previous attack targeting forks of Ethers.js.
Malware Characteristics
The initial malware package was published to npm. It featured a postinstall hook designed to execute a file that was ultimately not included in the package. Subsequent packages contained obfuscated JavaScript code that activated during installation and exhibited typical malware behaviors. These behaviors included constructing download URLs and fetching remote executables, demonstrating a sophisticated approach to deception.
The malicious code interacts with an Ethereum smart contract, retrieving an IP address linked to a specified contract address. The Application Binary Interface (ABI) is employed to facilitate JavaScript interaction with the smart contract’s functions. A provider is established to connect to the Ethereum mainnet for read-only operations, and a contract instance is created to enable interaction with the smart contract. An asynchronous function is defined to extract a string, such as an IP address, using an Ethereum address as an input parameter. This retrieved IP address is subsequently used to attempt access to non-existent files, suggesting malicious intent.
Implications and Ongoing Threat
The Ethereum blockchain’s immutable nature allows for the tracking of IP addresses utilized by the threat actor, adding a layer of complexity to the investigation. Additional functions within the malware are designed to construct download URLs and execute further malicious actions on the target machine. The primary payload of the malware is a packed Vercel package, which not only adds itself to the system’s startup but also utilizes the Ethereum contract mechanism to update its IP address. Data collected by the malware includes system information such as GPU, CPU, memory usage, username, and OS version, which is then transmitted back to the attacker’s server.
The overarching goal of this campaign appears to be to deceive developers into installing typosquatted packages, compromising their systems. New malware packages have been released shortly following the initial wave, indicating a calculated strategy to closely imitate legitimate package names associated with recent updates to Puppeteer. The campaign is ongoing, with expectations of further malicious package publications in the near future.
This situation underscores the evolving threat posed by supply chain attacks and highlights the necessity for heightened vigilance within the software development community to safeguard against such threats.
Original Source: Read the Full Article Here
