Sonatype finds malicious npm packages which broadcast your IP, username, and device fingerprint info on the web

Sonatype researchers discovered and confirmed the presence of two new vulnerable npm packages. Sonatype’s discovery was initially made by its malicious code detection bots. By applying machine learning and artificial intelligence to identify suspicious code commits, update signals, and developer patterns, the bots are continuously assessing changes across millions of open source software component releases. Following alerts from the Sonatype bots, our security research team verified the presence of malicious code in two npm packages and traced the intended exploit path.

The two packages are: 

  • electorn
  • loadyaml

The two packages representing next-generation software supply chain attacks rely on typosquatting – an attack that impersonates legitimate packages and makes them available for unsuspecting developers to download. Typosquatting packages prey on a developer or unsuspecting user to make a minor typographical error which will trick them into installing the malicious package within their environment instead of the one they had originally intended to download.  For example, the developer requests the “electron” package but unintentionally spells it “electorn”.

Once installed, the packages discovered by Sonatype, collect the user’s IP address, geolocation data, along with their device’s fingerprinting information, and publishes this data to a public GitHub page.

Last year, Sonatype unveiled its next-generation malicious code detection bots being built into our Nexus Intelligence products, to enable detection of malicious releases of open source components, known as “counterfeit components,” and blocking their use within modern software factories.

Our release integrity monitoring efforts have constantly evolved since then and continue to provide us with top-notch security intelligence which protects our customers and their software supply chains. 

Diving Deep into `electorn` and `loadyaml`

Multiple packages identified by Sonatype’s malicious code detection bots include `electorn`, `loadyaml`, `lodashs`, and `loadyml`. Let’s take a deep dive into each of these.

It is worth noting that all four (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Akshay 'Ax' Sharma. Read the original post at: