The world was just coming to terms with the “ua-parser-js” npm library hijacking incident, and Sonatype’s discovery of crypto-mining malware from last week, when we found a bigger, and spookier, issue just in time for Halloween.
Could threat actors abuse open source ecosystems, like npm, PyPI, and Rubygems, to deploy ransomware? This crucial question was raised for the first time because of our most recent discovery of malicious npm packages:
The answer was an unequivocal yes. Let me go into the full details. These typosquatting packages mimic noblox.js, a popular Roblox game API wrapper that exists on npm as both a standalone package, along with legitimate variants such as “noblox.js-proxied” (ending in ‘d’ not ‘s’). Both of these have been tracked under sonatype-2021-1526 in our security research data.
But, the developers behind malicious typosquats noblox.js-proxy and noblox.js-proxies have implemented some extra unwanted functionalities—trojans, ransomware, and even a spooky surprise.
While Noblox.js-proxy was flagged by Sonatype’s automated malware detection system, when investigating this package, our security research team also came across noblox.js-proxies. This highlights the importance of combining automation and human research in protecting our open source ecosystems – and why we at Sonatype have not only built the system to find the issues, but employ an (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Juan Aguirre. Read the original post at: https://blog.sonatype.com/fake-npm-roblox-api-package-installs-ransomware-spooky-surprise