This Week in Malware – Over 100 Packages Discovered

This week in malware, we discovered and analyzed more than 100 packages flagged as malicious, suspicious, or dependency confusion attacks in npm and PyPI registries.

Malicious packages caught by Sonatype
We caught the following this week via Sonatype’s automated malware detection system, offered as a part of Nexus Firewall:

1inch

Sponsorships Available

Sponsorships Available

Sponsorships Available

4ff-lib-foundation

@malware-test-bises-celts-borel-sneak/test-mlw3-bises-celts-borel-sneak

@malware-test-jelly-poled-trull-tokes/test-mlw3-jelly-poled-trull-tokes

@malware-test-lazar-bales-avows-inkle/test-mlw3-lazar-bales-avows-inkle

@malware-test-merge-agony-whits-blate/test-mlw3-merge-agony-whits-blate

@malware-test-piles-perky-glory-sahib/test-mlw3-piles-perky-glory-sahib

@malware-test-pling-pangs-birks-cubit/test-mlw3-pling-pangs-birks-cubit

@schnux/example

@step-security/malware-simulator

ahahjesus

amitbhai

anis-regex

ansi-ergex

ansi-reegx

ansi-regxe

ansi-rgeex

asni-regex

aynmatch

aypports-color

cis-publishers

cloudflare-plugin-frontend

coveragepublisher

cumul.io-integration

cumul.io-plugin-citybikes

cumul.io-plugin-mysql

d2-collection

darshanno1

dcrdata

demozeel

deubg

dexclient

discord-external

dup-glob

dupport-colors

dypports-color

edbug

esrtaverse

estarverse

estraevrse

estraveres

estravesre

estravrese

estrvaerse

ethereum0etl

ethereum2

etsraverse

evernote-sdk-sample-node

example-gke-workload-identity-app

finn-style

futures-sdk

ginore

glob-aprent

ibiza-universe

ignoer

ignroe

imcromatch

ingore

log-status

mciromatch

micormatch

micrmoatch

micro-ed25519-hdkey

microamtch

micromacth

micromtach

mircomatch

navigator-updatertest

naymatch

pip-foo

predpatt

retrap

setraverse

shopify-marketplaces-admin-app

sjesc

soupports-colors

spuports-color

srv-configs

suopport-colors

supoprts-color

supporst-color

supports-cloor

supports-colro

supports-coolr

supports-oclor

suppotrs-color

supprots-color

suypport-colors

sypport-color

syupport-colors

tds-publish

tensorflow-estimator-2.0-preview

test-mlw1-bises-celts-borel-sneak

test-mlw1-goals-roker-elmen-bongo

test-mlw1-karat-jowar-scurs-pearl

test-mlw1-noops-semis-edict-bokes

test-mlw1-ogres-bogle-kakas-bogus

test-mlw1-picky-argal-cried-alloy

test-mlw1-piles-perky-glory-sahib

test-mlw1-pling-pangs-birks-cubit

test-mlw1-rakee-clasp-mudir-ovoid

test-mlw1-salto-drags-hunks-chiao

test-mlw1-tasty-fazed-witan-quins

test-mlw2-bises-celts-borel-sneak

test-mlw2-picky-argal-cried-alloy

test-mlw2-pling-pangs-birks-cubit

test-mlw2-salto-drags-hunks-chiao

test-mlw2-tasty-fazed-witan-quins

tlsib

tomcrypt

tsilb

tslbi

uspports-color

utility-common-v2

wanger

warprnnt-pytorch

webcm-dev

websocket-template

Y1zh3e7

These discoveries follow our report last week of over 130 new packages discovered.

Turn on Nexus Firewall for automatic protection

As a DevSecOps organization, we remain committed to identifying and halting attacks, such as those mentioned above, against open source developers and the wider software supply chain.

Users of Nexus Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.

Nexus Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in progress, thereby keeping your software supply chain protected from the start. 

Sonatype’s world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.