There’s a RAT in my code: new npm malware with Bladabindi trojan spotted

Over the Thanksgiving weekend, Sonatype discovered new malware within the npm registry. This time, the typosquatting packages identified by us are laced with a popular Remote Access Trojan (RAT).

DevOps Connect:DevSecOps @ RSAC 2022

The malicious packages are:

Both of these packages have been published by the same author.

On Friday, Sonatype’s Nexus Intelligence, which includes next generation machine learning algorithms that automatically detect potentially malicious open source components, flagged “jdb.js” for being suspicious.

This is the same state-of-the-art technology that has recently unveiled open source malware like CursedGrabber, fallguys’ successor discord.dll, typosquatting npm packages like electorn, twilio-npm, and many more.

Upon digging deeper, we discovered that the author behind “jdb.js” had also published another malicious npm package, “db-json.js.”

As the name implies, “jdb.js” attempts to mimic the legitimate NodeJS-based database library, jdb. Similarly, “db-json.js” carries an identical name to the genuine db-json library. 

However, “jdb.js” is in fact a malicious package bundled with a Remote Access Trojan (RAT) called njRAT aka Bladabindi.

RATs are a type of malware that enable attackers to take over an infected system, execute arbitrary commands, run keyloggers, and discreetly conduct other surveillance activities. 

njRAT is an info-stealing trojan that had been deployed in widespread attacks that led Microsoft to shut down 4 million sites in 2014.

In recent years, variants of njRAT/Bladabindi have been distributed via Bitcoin scams on YouTube and via Excel phishing emails. And, given njRAT’s customizability and easy availability on the darknet, the malware has also been shipped by threat actors as part of their ransomware exploit kits.

Dissecting npm malware “jdb.js”

Published last week, “jdb.js” is an npm package (not a JavaScript file) with just one version 1.0.0 that contains 3 files:

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: