Researchers Uncover 700+ Malicious Open Source Packages

Written by

Security researchers have discovered another sizeable haul of malicious packages on the npm and PyPI open source registries, which could cause issues if unwittingly downloaded by developers.

In January, Sonatype said it found 691 malicious npm packages and 49 malicious PyPI components containing crypto-miners, remote access Trojans (RATs) and more.

The discoveries by the firm’s AI tooling brings its total haul to nearly 107,000 packages flagged as malicious, suspicious or proof-of-concept since 2019.

It includes multiple packages that contain the same malicious package.go file – a Trojan designed to mine cryptocurrency from Linux systems. Sixteen of these were traced to the same actor, trendava, who has now been removed from the npm registry, according to Sonatype.

Separate finds include PyPI malware “minimums,” which is designed to check for the presence of a virtual machine (VM) before executing. The idea is to disrupt attempts by security researchers, who often run suspected malware in VMs, to find out more about the threat.

“The malware is designed to check if the current operating system is Windows. It then checks if the environment is not running in a virtual machine or sandbox environment. It does this by validating the presence of specific files associated with VMware and VirtualBox, as well as checking for the presence of certain processes that are commonly used by security researchers,” said Sonatype.

“If the environment is a virtual machine, the code immediately returns without executing any further.”

The security vendor also discovered new Python malware combining the capabilities of a RAT and information stealer.

Finally, it found a suspicious-looking developer known as “infinitebrahamanuniverse” who uploaded over 33,000 packages self-described as sub-packages of “no-one-left-behind,” or “nolb.” The latter was removed last week, after the npm security team found that it depended on every other known publicly available npm package.

“If you check any npm package right now you’ll probably find under the dependents tab one of the nolb packages uploaded by ‘infinitebrahamanuniverse’,” warned Sonatype.

“By adding it to a typo-squatting package, that threat actor can launch a denial-of-service (DoS) attack against a company’s download channel, which can sabotage developers’ time by forcing them to wait for their npm environment to be ready. Installing a package with this dependency can also cause excessive resource consumption. If you follow this series you should know by now that such scenarios are not far-fetched.”

What’s hot on Infosecurity Magazine?