Welcome to the latest edition of Malware Monthly, where our teams of security researchers and developer advocates bring you the latest discoveries of malicious packages in software registries.

Thankfully the 2022 holiday season did not deliver the level of disruption seen in last year’s Log4Shell zero-day vulnerability. But some developers and security professionals did receive an unwelcome gift from bad actors during this past Christmas. Users of PyTorch, a popular machine learning framework, dealt with a malicious dependency posing to be a legitimate library.

In December 2022, we found 422 malicious packages in the npm registry, mostly data exfiltration through typosquatting or dependency confusion attacks, including: ajax-cuuu, angular-nanoscroller, angular-stateful-fastclick, arcgis-charts-shared-utils, arcgis-components, aws-postgres-rotator, aws-rfdk-project, bluebird.node, chart.js-latest, datagrid-text, datagrid-web, jfrog-alfheim, phup.js, react-router-susanin, reactjs-slick, yandex-html5-video-player, yandex-tjson… and many more.

We also caught 58 malicious packages in PyPI, including the heavily obfuscated Discord token stealers proxier-api and nitro-api66. Keep in mind here we cover just a few of the hundreds of malicious packages our AI-enabled system flagged before they entered your build environment.

The ones that caught our attention

MacOS attack

Some of the malicious packages detected by our AI targeted developers using Mac computers. As an example, in cobo-python-api, threat actors used dependency confusion to trick developers into downloading a tainted version of the crypto library Cobo Custody Restful.

They leveraged the fact that this package doesn’t have an official distribution through the PyPI registry. By uploading a compromised version with the same name on PyPI, attackers expect that the package manager (pip) used by developers will prioritize the malicious version over the legit GitHub version.

And what are they hoping to achieve?

The technique is well-known and widely used: include the malicious code in the setup script setup.py so developers deploy the malware as (Read more...)