Sonatype’s automated malware detection bots have caught 86 npm packages that are named after popular NodeJS and JavaScript functions.

The development follows last week’s discovery of over 400 malicious npm packages targeting Azure, Uber, and Airbnb developers—all caught by our malware detection system, offered as a part of Nexus Firewall.

What the Rukkaz?

This week, we discovered seven dozen packages, each published by a different, unique npm account that appears to have been automatically generated using a script:

Each package is named after commonly used NodeJS functions, classes, or libraries. Some examples include, ‘document-create-element’, ‘array-iteration’, ‘an-object’, etc.

The complete list of these packages is provided here: page 1, page 2, page 3.

Although all of these packages were published from different npm accounts and contain empty README files, the common factor between all of them are the strings: “rukkaz package” or “azbit package” present in the metadata:

Like last week’s campaign, some of these packages, such as ‘rush-lib‘ (mimicking the real @microsoft/rush-lib), target Azure developers and contain identical code for exfiltrating basic system fingerprinting information, such as your IP address, hostname, username, etc.

What does stand out is the mention of terms “Rukkaz” and “Azbit.”

Launched in 2019 by SuperAwesome, Rukkaz is a kid-safe streaming platform that lets players connect with gaming influencers:

And “Azbit” is a fairly popular cryptocurrency exchange with over 350,000 users and a daily $240,000,000 trading volume.

Sonatype is yet to see direct evidence of private dependencies with these names being used by any of these major services. At this time, it seems like a leap of faith on the attacker’s part looking to target these firms.

Code won’t execute on select systems

Like thousands of dependency confusion packages seen by us so far, all (Read more...)