Home » Cybersecurity » Threats & Breaches » Vulnerabilities » This week in malware—a ‘fix-crash’ info-stealer and 500+ malicious npm packages
This week in malware—a ‘fix-crash’ info-stealer and 500+ malicious npm packages
This week in malware, Sonatype’s automated malware detection systems caught upwards of 300 npm packages, including 86 named after popular NodeJS functions.
The development follows last week’s discovery of 400+ packages targeting Microsoft Azure, Airbnb and Uber developers.
Shout out to our data scientist Cody Nash for timely providing this data for our digest. Nash is one of the developers behind Sonatype’s automated malware detection systems that feeds intel into Nexus Firewall.
1. A ‘fix-crash’ package that steals your Discord info
Further, the Sonatype Security Research team reported a ‘fix-crash’ package to npm that certainly fixes no crashes.
The ‘fix-crash’ package, with its sole version 1.0.0, packed heavily obfuscated malware that stole your Discord tokens. This continues the ongoing theme of Discord info and Roblox cookie stealers Sonatype has reported on time and time again.
For visibility, here’s a small snippet of the deobfuscated code:
2. 86 Rukkaz, Azbit npm typosquats
This week, we discovered seven dozen packages, each published by a different, unique npm account that appears to have been automatically generated using a script:
Each package was named after commonly used NodeJS functions, classes, or libraries. Some examples include, ‘document-create-element’, ‘array-iteration’, ‘an-object’, etc. and would only execute under specific conditions.
The complete list of these packages is provided here: page 1, page 2, page 3.
What did stand out in these was the mention of terms, “Rukkaz” and “Azbit.”
Launched in 2019 by SuperAwesome, Rukkaz is a kid-safe streaming platform that lets players connect with gaming influencers:
And “Azbit” is a fairly popular cryptocurrency exchange with over 350,000 users and a daily $240,000,000 trading volume.
Sonatype is yet to see direct evidence of private dependencies with these names being used by any of these major services. At this (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/this-week-in-malware-a-fix-crash-info-stealer-and-500-malicious-npm-packages