This Week in Malware—Apache Kafka typosquats, shorthand data exfiltration

May 06, 2022 By Ax Sharma

5 minute read time

This Week In Malware we pull apart a typosquat impersonating an Apache Kafka project and an interesting npm package that downloads another empty npm package—but turns out that's merely a distraction technique.

We further review dependency confusion packages caught this week by Sonatype's automated malware detection bots, offered as a part of the next-generation Nexus platform.

1. Apache Kafka copycat: 'karapace'

Assigned sonatype-2022-2696 in our security research data, first off, we have a PyPI package, 'karapace' analyzed by our senior security researcher Ankita Lamba.

The 'karapace' package has the exact name as the karapace Python package on GitHub which is "An open-source implementation of Kafka REST and Schema Registry."

In the developer's words, 'karapace' offers "Your Apache Kafka® essentials in one tool." And the user squatting the same name on PyPI did not miss an opportunity to reuse the slogan:

But within the 'karapace' published to PyPI we see code that exfiltrates your IP address, environment variables, username, and other system fingerprinting information to a Pipedream address:

Considering the code contained within the package closely resembles several dependency confusion attacks we have seen thus far, this appears to be a PoC research package.

Out of caution, however, Sonatype reported the package to the PyPI security team and the package was taken down.

2. Exfiltration by distraction: npm package that downloads another empty package

On any given day, Sonatype's security research team analyzes dozens to hundreds of suspicious packages published to open source registries including npm and PyPI.

But, this one—"speedy-ts-compiler" stood out to us. It is named after a hypothetical package used as an example within TypeStrong's official docs and READMEs.

TypeScript Node

But, the "speedy-ts-compiler" caught by us downloads an empty npm package, "tastytreats" while simultaneously exfiltrating your IP address and username using the 'npm get cache' value. A sleek distraction technique!

Read more about "speedy-ts-compiler" in a separate blog post published today.

3. Colorful 'colors' typosquats caught

This week, Sonatype discovered multiple npm packages that impersonate the vastly popular 'colors' JavaScript library, but instead pack Discord infostealing malware. These typosquats, shown below, have been assigned vulnerability identifier, sonatype-2022-2601 in our security data:

These findings come after just last month we had caught malicious colors-2.0, colors-3.0, and colorsss.

Interestingly, the C2 server domain found within some of these packages makes a "Piranha" reference. We wonder what is that about?

Read more in a dedicated blog post on this discovery.

Mega Piranha (TV Movie 2009) - IMDb

4. This week in dependency confusion

Like any other week, Sonatype continues to identify several dependency confusion packages this week. These packages, found in the npm registry, are listed below:

angular-rs-loading
construct-burst
partner-analytics
pdfgrabber
teams-data

Nexus Firewall users remain protected

Sonatype remains at the forefront of timely discoveries and reporting attacks targeting OSS developers and the gaming community.

Users of Nexus Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds. 

U-cofx0-oAHuk7B8hQ_0YBbx7E9LQSW04uag5iP4Q7mdyUWkjohGvAiYYykP8LnvXzbz7CUADYOIt3X4KVAozG7Sxz7PFEffVVl_TP2LufuKfXcPzVvjvk3Br_IPtFK9776-HbUE

Nexus Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in the works, thereby keeping your software supply chain protected from the start. 

Sonatype’s world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.

Tags: vulnerabilities, Nexus Firewall, malware prevention, DevZone, This Week in Malware

Written by Ax Sharma

Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.