Malicious npm Packages Identified as Threat to Developers
/ 3 min read
Quick take - Multiple malicious npm packages, designed to impersonate legitimate utilities for retrieving external IP addresses, have been identified as threats to developers on various operating systems, containing trojans and cryptocurrency stealers, prompting calls for enhanced supply chain security measures.
Fast Facts
- Multiple malicious npm packages, including “node-request-ip,” “request-ip-check,” and “request-ip-validator,” have been identified, targeting developers on Windows, Linux, and macOS.
- These packages impersonate legitimate utilities for retrieving external IP addresses and contain trojans and cryptocurrency stealers.
- Security researchers have tracked these packages as sonatype-2024-011414, which have been flagged and blocked by Sonatype’s automated malware detection systems.
- The malicious executables can execute JavaScript, establish WebSocket connections to attacker-controlled servers, and exfiltrate sensitive data.
- This incident is part of a broader campaign involving multiple typosquatting packages, highlighting the need for improved supply chain security and vigilant monitoring of third-party software.
Multiple Malicious npm Packages Identified
Multiple malicious npm packages have been identified, posing a threat to developers across various operating systems. These packages, named “node-request-ip,” “request-ip-check,” and “request-ip-validator,” impersonate legitimate utilities designed for retrieving external IP addresses. The packages target developers on Windows, Linux, and macOS. They contain malicious executables that function as trojans and cryptocurrency stealers.
Analysis and Detection
Security researchers Carlos Fernández and Adam Reynolds conducted an analysis of these packages. The packages falsely claim to be “a small Node.js module to retrieve the request’s IP address” and are imitations of the legitimate “request-ip” package. The malicious packages have been tracked as sonatype-2024-011414. Sonatype’s automated malware detection systems flagged these packages, and the Sonatype Repository Firewall has successfully blocked them.
The packages contain obfuscated code designed to download executables tailored to specific operating systems. References to an IP address, 95.216.251[.]178, have been found, from which questionable binaries are retrieved. These binaries include OS-specific executables such as EXEs for Windows and ELFs for Linux. VirusTotal analyses have revealed several of the malicious files, including a counterfeit ‘svchost.exe’ masquerading as a legitimate Windows system process and a trojan-flagged ‘gsd-mouse’ Linux executable.
Ongoing Threat and Recommendations
Once installed, these malicious binaries can execute JavaScript on the infected machine, allowing attackers to maintain control and exfiltrate sensitive data. The malware can establish a WebSocket connection to an attacker-controlled server, enabling remote command execution and data harvesting. This incident is part of a larger campaign that has been ongoing for several months.
Previous findings from September revealed a typosquat named “express-dompurify,” which impersonated the legitimate npm library “dompurify.” The same IP address associated with the current malicious packages was linked to the “express-dompurify” typosquat. Other typosquatting packages identified include bcryptutils, express-bcryptjs, express-core-cache, express-eval, and nestjs-validator. This suggests that the same group of threat actors is orchestrating multiple campaigns targeting various developer niches with specifically tailored binaries.
The incident highlights the evolving tactics of threat actors exploiting the open-source ecosystem and emphasizes the urgent need for improved supply chain security measures. Vigilant monitoring of third-party software registries is necessary, and organizations are encouraged to prioritize security throughout their development processes. Tools such as Sonatype Repository Firewall and Sonatype Lifecycle are available to detect and block malware, potentially unwanted applications (PUAs), and vulnerable components. Users of the Sonatype Repository Firewall can be assured that these malicious packages will be blocked from their development builds, helping maintain a secure software development life cycle (SDLC).
Original Source: Read the Full Article Here
