viralamo

Menu
  • Technology
  • Science
  • Money
  • Culturs
  • Trending
  • Video

Subscribe To Our Website To Receive The Last Stories

Join Us Now For Free
Home
Technology
Malicious NPM packages are part of a malware “barrage” hitting repositories
Technology

Malicious NPM packages are part of a malware “barrage” hitting repositories

09/12/2021

Malicious NPM packages are part of a malware “barrage” hitting repositories

Researchers have found another 17 malicious packages in an open source repository, as the use of such repositories to spread malware continues to flourish.

This time, the malicious code was found in NPM, where 11 million developers trade more than 1 million packages among each other. Many of the 17 malicious packages appear to have been spread by different threat actors who used varying techniques and amounts of effort to trick developers into downloading malicious wares instead of the benign ones intended.

This latest discovery continues a trend first spotted a few years ago, in which miscreants sneak information stealers, keyloggers, or other types of malware into packages available in NPM, RubyGems, PyPi, or another repository. In many cases, the malicious package has a name that’s a single letter different than a legitimate package. Often, the malicious package includes the same code and functionality as the package being impersonated and adds concealed code that carries out additional nefarious actions.

A ripe attack vector

“We are witnessing a recent barrage of malicious software hosted and delivered through open-source software repositories,” JFrog researchers Andrey Polkovnychenko and Shachar Menashe wrote on Wednesday. “Public repositories have become a handy instrument for malware distribution: the repository’s server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the npm client, provides a ripe attack vector.”

Most of the packages JFrog flagged stole credentials or other information for Discord servers. Discord has become a popular platform for people to communicate through text, voice, and video. Compromised servers can be used as command and control channels for botnets or as a proxy when downloading data from a hacked server. Some packages stole credit card data associated with hacked Discord accounts.

Two packages—discord-lofy and discord-selfbot-v14—came from an author using the name davisousa. They masquerade as modifications of the popular legitimate library discord.js, which enables interaction with the Discord API. The malware incorporates the original discord.js library as its base and then injects obfuscated malicious code into one of the package files.

Advertisement

The JFrog researchers wrote:

The obfuscated version of the code is enormous: more than 4,000 lines of unreadable code, containing every possible method of obfuscation: mangled variable names, encrypted strings, code flattening and reflected function calls:

Through manual analysis and scripting, we were able to deobfuscate the package and reveal that its final payload is quite straightforward—the payload simply iterates over the local storage folders of well-known browsers (and Discord-specific folders), then searches them for strings looking like a Discord token by using a regular expression. Any found token is sent back via HTTP POST to the hardcoded server https://aba45cf.glitch.me/polarlindo.

Another package named fix-error claimed to to fix errors in a discord “selfbot.” It, too, contained malicious code that had been obfuscated but, in this case, was much easier for the researchers to deobfuscate. The researchers soon determined that the hidden code was a stolen version of the PirateStealer, an app that steals credit card information, login credentials, and other private data stored in a Discord client. It works by injecting malicious Javascript code into the Discord client. The code then “spies” on the user and sends the stolen information to a hardcoded address.

A third example is prerequests-xcode, a package that contains remote access trojan functionality. The researchers wrote:

When inspecting the package’s code, we identified it contains a Node.JS port of
DiscordRAT(originally written in Python) which gives an attacker full control over the victim’s machine. The malware is obfuscated with the popular online tool obfuscator.io, but in this case it is enough to inspect the list of available commands to understand the RAT’s functionality (copied verbatim).

The full list of packages is:

Package Version Payload Infection Method
prerequests-xcode 1.0.4 Remote Access Trojan (RAT) Unknown
discord-selfbot-v14 12.0.3 Discord token grabber Typosquatting/Trojan (discord.js)
discord-lofy 11.5.1 Discord token grabber Typosquatting/Trojan (discord.js)
discordsystem 11.5.1 Discord token grabber Typosquatting/Trojan (discord.js)
discord-vilao 1.0.0 Discord token grabber Typosquatting/Trojan (discord.js)
fix-error 1.0.0 PirateStealer (Discord malware) Trojan
wafer-bind 1.1.2 Environment variable stealer Typosquatting (wafer-*)
wafer-autocomplete 1.25.0 Environment variable stealer Typosquatting (wafer-*)
wafer-beacon 1.3.3 Environment variable stealer Typosquatting (wafer-*)
wafer-caas 1.14.20 Environment variable stealer Typosquatting (wafer-*)
wafer-toggle 1.15.4 Environment variable stealer Typosquatting (wafer-*)
wafer-geolocation 1.2.10 Environment variable stealer Typosquatting (wafer-*)
wafer-image 1.2.2 Environment variable stealer Typosquatting (wafer-*)
wafer-form 1.30.1 Environment variable stealer Typosquatting (wafer-*)
wafer-lightbox 1.5.4 Environment variable stealer Typosquatting (wafer-*)
octavius-public 1.836.609 Environment variable stealer Typosquatting (octavius)
mrg-message-broker 9998.987.376 Environment variable stealer Dependency confusion

As noted earlier, NPM isn’t the only open source repository to be infiltrated with malicious packages. The PyPi repository for Python has seen its share of malware-laden packages, as has RubyGems.

People downloading open source packages should take extra care in making sure the item they’re downloading is legitimate and not malware masquerading as something legitimate. Larger organizations that rely heavily on open source software may find it useful to purchase package management services, which JFrog just happens to sell.

Source link

Share
Tweet
Pinterest
Linkedin
Stumble
Google+
Email
Prev Article
Next Article

Related Articles

2020 will be a big year for online childcare — here are 7 startups to watch
TechCrunch ist Teil von Verizon Media. Klicken Sie auf ‘Ich …

WhatsApp’s new limit cuts virality of ‘highly forwarded’ messages by 70%

Petnet charges new $30 annual fee for a service that still doesn’t work
Enlarge / Example of how your furry friend may react …

Petnet charges new $30 annual fee for a service that still doesn’t work

Leave a Reply Cancel reply

Find us on Facebook

Related Posts

  • The White House’s new AI principles won’t solve regulatory problems
    IBM, White House, Department of Energy, and …
    22/03/2020
  • Rensselaer focuses IBM’s AiMOS supercomputer on machine learning
    IBM launches Weather Channel map to track …
    23/03/2020
  • Tech execs urge Washington to accelerate AI adoption for national security
    Microsoft and OpenAI propose automating U.S. tech …
    11/11/2020
  • Beat Saber is now an Oculus studio after Facebook acquisition
    Zebra’s SmartSight inventory robot keeps an eye …
    13/01/2020
  • Watch Zoox’s autonomous car drive around San Francisco for an hour
    Watch Zoox’s autonomous car drive around San …
    18/04/2020

Popular Posts

  • 10 Shocking and Surprising Facts About the …
    25/06/2022 0
  • 10 Landlords Who Murdered Their Tenants – …
    27/05/2022 0
  • Information security gets personal: How to protect yourself and your stuff
    Information security gets personal: How to protect …
    27/05/2022 0
  • US college VPN credentials for sale on Russian crime forums, FBI says
    US college VPN credentials for sale on …
    27/05/2022 0
  • 10 Cheap Foods That Will Make You …
    28/05/2022 0

viralamo

Pages

  • Contact Us
  • Privacy Policy
Copyright © 2022 viralamo
Theme by MyThemeShop.com

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh