Hot Topics
Security Bloggers Network Vulnerabilities 
SBN

This Week in Malware—npm backdoors, bugs, ‘mystery placeholders’

by Ax Sharma on April 29, 2022

This week in malware, Sonatype’s automated malware detection systems flagged npm packages laced with embedded backdoors. Additionally, the latest highlights include an interesting pattern of “mystery placeholder” packages seen on npm in the past few days and a dangerous npm flaw that allowed attackers to add anyone as a ‘maintainer’ to their malicious packages. 

1. Backdoored npm packages

The malicious packages flagged by our automated malware detection systems include:

  • aaiofkkp
  • fitt-addons
  • pix-xui
  • wickjs

These have been assigned sonatype-2022-2481 in our security research data.

While their names may not imply much or the target, these packages begin malicious activity as soon as they are installed. For example, inside ‘wickjs,’ the manifest file (package.json) runs index.js at preinstall stage:

The index.js file, in addition to pulling a standard dependency confusion attack, attempts to add the author’s public SSH key to the list of authorized keys on the infected system:

Some versions of ‘wickjs’ and these malicious packages additionally act as a backdoor by establishing a TCP reverse shell connection to the attacker’s computer (line 22 shown below). The attacker would now be able to run arbitrary commands on the infected system.

After our report to npm, these malicious packages were taken down by the npm security team. Users of Nexus Firewall remain protected from open source attacks like these.

2. Discord stealers and dependency confusion

A theme of OSS attacks that’s just not willing to die down includes Discord token & Roblox cookie stealers.

Various packages caught by our malware bots, including ‘discord.js-selfv13′ and ‘discord.js-selfv14’ this week, demonstrate attackers continuing to focus on Discord developers and gamers writing npm scripts.

In addition to packing code from legitimate Discord libraries spanning hundreds of files, these packages contain obfuscated code hidden deep within subdirectories.

For example, the ‘discord.js-selfv14’ typosquat (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/this-week-in-malware-april-29th-edition

Ax Sharma , , ,