A package called “aabquerys” has been spotted on the open-source JavaScript npm repository using typosquatting techniques to enable the download of malicious components.
The findings come from security researchers at ReversingLabs, who have said aabquerys was able to download second- and third-stage malware payloads to infected systems.
“The package name, aabquerys, is also similar to the name of another, legitimate npm module: abquery, evidence of ‘typosquatting,’ or attempting to sow confusion and fool developers into downloading a malicious package in place of a legitimate one,” reads an advisory posted by the company on Thursday.
The technical write-up by ReversingLabs threat researchers Lucija Valentic and Karlo Zanki says the malicious package consisted of two files, one obfuscated via the JavaScript obfuscator.
“Open source code is intended to be viewable by everyone, so an effort to disguise or hide functionality within an open source module should be investigated,” the researchers wrote.
“In the case of aabquerys, the obfuscated code in question was easily de-obfuscated. That revealed a [JavaScript] file with clearly malicious behavior.”
When opened on a PC, the file showed a fake web browser crash message and a link that led to the download of a second-stage malware that has been used in several malware campaigns, according to ReversingLabs. This, in turn, sideloaded a dynamic link library (DLL) file that downloaded a third-stage malicious component.
Dubbed “Demon.bin,” this file is a malicious agent with various remote access trojan (RAT) functionalities that was reportedly developed using the open-source, post-exploitation, command and control (C2) framework Havoc by malware author C5pider.
“Since discovering the aabquerys package, npm has removed it from their repository along with other malicious packages,” Valentic wrote.
At the same time, the discovery of the malicious package (and evidence of others) by the maintainer responsible highlights the growing risk of malicious packages hiding in open-source repositories like npm, PyPI and GitHub, the researchers explained.
“This risk demands greater attention by development organizations to the telltale signs of malicious or suspicious behavior within their open source supply chain.”
Case in point, Sonatype published new research weeks ago suggesting over 400 malicious packages were found in npm in December and dozens more in the PyPI repository.