This Week in Malware—show me your secrets!

This Week in Malware, highlights include malicious Python packages that not only exfiltrate your secrets—AWS credentials and environment variables but rather upload these to a publicly exposed endpoint. Also stated below are some more dependency confusion packages caught by us ... Read More

Python packages upload your AWS keys, env vars, secrets to the web

Last week, Sonatype discovered multiple Python packages that not only exfiltrate your secrets—AWS credentials and environment variables but rather upload these to a publicly exposed endpoint. These packages were discovered by Sonatype's automated malware detection system, offered as a part of Nexus platform products, including Nexus Firewall. On a further ... Read More

This Week in Malware: killing Windows Defender with an npm package

This Week in Malware, highlights include malicious npm package 'flame-vali' that claims to let developers "bypass any request proxys." But that's not quite the case. And, some more dependency confusion packages caught by us ... Read More

npm package disables Windows Defender before dropping trojan

Last week, Sonatype's automated malware detection systems flagged npm package 'flame-vali' that claims to let developers "bypass any request proxys." But that's not quite the case ... Read More

This Week in Malware—npm malware exfiltrates Windows SAM, Amazon EC2 credentials

This Week in Malware, we continue to see an uptick in outright malicious and dependency confusion packages employing novel tactics. A list of some of the packages caught by Sonatype's automated malware detection systems is given below and more analysis is expected to follow in subsequent blog posts next week ... Read More

PyPI package ‘ctx’ and PHP library ‘phpass’ compromised to steal environment variables

This week, immensely popular PyPI package 'ctx' has been compromised and altered to steal environment variables from its users. Additionally, a forked PHP project 'phpass' also suffered a repo-hijacking attack with the project tained with identical malicious payload ... Read More

New ‘pymafka’ malicious package drops Cobalt Strike on macOS, Windows, Linux

This week, Sonatype's automated malware detection bots have discovered malicious Python package 'pymafka' in the PyPI registry ... Read More

This Week in Malware—Malicious Rust crate, ‘colors’ typosquats

This Week in Malware digest was delayed by a day in light of a significant announcement on Friday from Sonatype's CTO Brian Fox. The announcement details Sonatype's participation in an ongoing conversation led by the Open Source Security Foundation (OpenSSF) that unites the industry, open source communities, and government officials in ... Read More

This Week in Malware—Apache Kafka typosquats, shorthand data exfiltration

This Week In Malware we pull apart a typosquat impersonating an Apache Kafka project and an interesting npm package that downloads another empty npm package—but turns out that's merely a distraction technique ... Read More

npm package downloads another package while exfiltrating your IP address and username

On any given day, Sonatype's security research team analyzes dozens to hundreds of suspicious packages published to open source registries including npm and PyPI ... Read More