This week in Malware, Sonatype’s automated malware detection systems reported npm packages associated with built-in backdoors. Additionally, the latest highlights include an interesting pattern of “mystery placeholder” packages seen on npm in recent days and a dangerous npm flaw that allowed attackers to add anyone as a “maintainer” to their malicious packages.
1. Stolen npm packages
Malicious packages flagged by our automated malware detection systems include:
- pix xui
These have been assigned sonatype-2022-2481 in our security research data.
Although their names don’t imply much or the target, these packages begin malicious activity as soon as they are installed. For example, in ‘wickjs’, the manifest file (package.json) runs index.js in the preinstall stage:
The index.js file, in addition to pulling a standard addiction confusion attack, attempts to add the author’s public SSH key to the list of authorized keys on the infected system:
Some versions of ‘wickjs’ and these malicious packages additionally act as a backdoor by establishing a TCP reverse shell connection to the attacker’s computer (line 22 shown below). The attacker could now execute arbitrary commands on the infected system.
After our report to npm, these malicious packages were removed by the npm security team. Users of Nexus Firewall remain protected against open source attacks like these.
2. Discord Thieves and Addiction Confusion
A theme of OSS attacks that just won’t go away includes Discord token and Roblox cookie thieves.
Various packets captured by our malicious bots, including ‘discord.js-selfv13′ and ‘discord.js-selfv14’ this week show that attackers continue to focus on Discord developers and gamers writing npm scripts.
In addition to packing code from legit Discord libraries covering hundreds of filesthese packages contain obfuscated code hidden deep in subdirectories.
For example, the typosquat ‘discord.js-selfv14’ (Read more…)