This Week In Malware we pull apart a typosquat impersonating an Apache Kafka project and an interesting npm package that downloads another empty npm package—but turns out that's merely a distraction technique.
We further review dependency confusion packages caught this week by Sonatype's automated malware detection bots, offered as a part of the next-generation Nexus platform.
1. Apache Kafka copycat: 'karapace'
The 'karapace' package has the exact name as the karapace Python package on GitHub which is "An open-source implementation of Kafka REST and Schema Registry."
In the developer's words, 'karapace' offers "Your Apache Kafka® essentials in one tool." And the user squatting the same name on PyPI did not miss an opportunity to reuse the slogan:
But within the 'karapace' published to PyPI we see code that exfiltrates your IP address, environment variables, username, and other system fingerprinting information to a Pipedream address:
Considering the code contained within the package closely resembles several dependency confusion attacks we have seen thus far, this appears to be a PoC research package.
Out of caution, however, Sonatype reported the package to the PyPI security team and the package was taken down.
2. Exfiltration by distraction: npm package that downloads another empty package
On any given day, Sonatype's security research team analyzes dozens to hundreds of suspicious packages published to open source registries including npm and PyPI.
But, this one—"speedy-ts-compiler" stood out to us. It is named after a hypothetical package used as an example within TypeStrong's official docs and READMEs.
But, the "speedy-ts-compiler" caught by us downloads an empty npm package, "tastytreats" while simultaneously exfiltrating your IP address and username using the 'npm get cache' value. A sleek distraction technique!
Read more about "speedy-ts-compiler" in a separate blog post published today.
3. Colorful 'colors' typosquats caught
These findings come after just last month we had caught malicious colors-2.0, colors-3.0, and colorsss.
Interestingly, the C2 server domain found within some of these packages makes a "Piranha" reference. We wonder what is that about?
Read more in a dedicated blog post on this discovery.
4. This week in dependency confusion
Like any other week, Sonatype continues to identify several dependency confusion packages this week. These packages, found in the npm registry, are listed below:
Nexus Firewall users remain protected
Sonatype remains at the forefront of timely discoveries and reporting attacks targeting OSS developers and the gaming community.
Users of Nexus Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.
Nexus Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in the works, thereby keeping your software supply chain protected from the start.
Sonatype’s world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.