Home » Security Bloggers Network » Open Source Attacks on the Rise: Top 8 Malicious Packages Found in npm

Open Source Attacks on the Rise: Top 8 Malicious Packages Found in npm

by Ax Sharma on June 8, 2021

I get asked often what Sonatype’s automated malware detection system, Release Integrity, has found so far. Great question!

Back in 2019, Sonatype announced the release of its new technology with early warning capabilities to find malicious releases of open source components, known as “counterfeit components.” Release Integrity is part of next-gen Sonatype Nexus Intelligence, detecting and blocking their use within modern software factories. We knew then that the future of open source security was changing – and the past year shows just how right we were.

Since then, this technology has time and time again identified novel malware — including those missed by leading antivirus engines, lurking in open source components. With it, Sonatype was the first and only company to proactively catch the dependency or namespace confusion PoC research packages from Alex Birsan when they first sprung up in 2020.

Using automated malware detection systems, the service flagged Birsan’s packages in early 2020 as malware. At the time, the researcher told Sonatype that this was part of ongoing research work and that a coordinated disclosure would take place in early 2021. This vulnerability was revealed as promised, affecting more than 35 organizations, including major software companies like Microsoft, Uber, Tesla, Yelp, and Shopify.

Sponsorships Available

Since then, the Sonatype Security Research Team has repeatedly added these packages to our data under multiple vulnerability identifiers (sonatype-2020-XXXX IDs), keeping our customers protected from the get-go.

At publish date, we have identified upwards of 12,000 suspicious and malicious npm packages. This figure includes packages infiltrating npm that emerged this year, including: