This Week in Malware—npm backdoors, bugs, 'mystery placeholders'

April 29, 2022 By Ax Sharma

6 minute read time

This week in malware, Sonatype's automated malware detection systems flagged npm packages laced with embedded backdoors. Additionally, the latest highlights include an interesting pattern of "mystery placeholder" packages seen on npm in the past few days and a dangerous npm flaw that allowed attackers to add anyone as a 'maintainer' to their malicious packages. 

1. Backdoored npm packages

The malicious packages flagged by our automated malware detection systems include:

  • aaiofkkp
  • fitt-addons
  • pix-xui
  • wickjs

These have been assigned sonatype-2022-2481 in our security research data.

While their names may not imply much or the target, these packages begin malicious activity as soon as they are installed. For example, inside 'wickjs,' the manifest file (package.json) runs index.js at preinstall stage:

The index.js file, in addition to pulling a standard dependency confusion attack, attempts to add the author's public SSH key to the list of authorized keys on the infected system:

Some versions of 'wickjs' and these malicious packages additionally act as a backdoor by establishing a TCP reverse shell connection to the attacker's computer (line 22 shown below). The attacker would now be able to run arbitrary commands on the infected system.

After our report to npm, these malicious packages were taken down by the npm security team. Users of Nexus Firewall remain protected from open source attacks like these.

2. Discord stealers and dependency confusion

A theme of OSS attacks that's just not willing to die down includes Discord token & Roblox cookie stealers.

Various packages caught by our malware bots, including 'discord.js-selfv13' and 'discord.js-selfv14' this week, demonstrate attackers continuing to focus on Discord developers and gamers writing npm scripts.

In addition to packing code from legitimate Discord libraries spanning hundreds of files, these packages contain obfuscated code hidden deep within subdirectories.

For example, the 'discord.js-selfv14' typosquat analyzed by Sonatype security researcher Ali ElShakankiry hides malware in a file present at 'package/src/client/actions/Ready.js,' that a developer might miss glancing through.

These Discord typosquats have been assigned sonatype-2022-2482 within Sonatype's vulnerability database.

The dependency confusion candidates identified by Sonatype this week include:

  1. @munters/calculations
  2. @sorare-marketplace/components
  3. af-mason
  4. af-test
  5. base-parts-ipc
  6. clientlib-manifests
  7. composer-bridge
  8. composer-composer-validator
  9. composer-packager
  10. composer-sandbox
  11. composer-scaffold
  12. composer-turbine
  13. composer-turbine-loader
  14. composer-turbine-schemas
  15. composer-turbine-schemasy
  16. composer-validator
  17. ctct-theme
  18. cursorecon
  19. design-system-colors
  20. forgejs-plugins
  21. grafana-cluster
  22. onboarding-setup-guide
  23. platform-node
  24. react-monorail-next
  25. realtime-react
  26. realtime-react-ui
  27. reddit-country-url-redirects
  28. ui-extensions-server-kit
  29. vs-platform-instantiation
  30. vs-platform-node
  31. xterm-common

After our report to npm, these dependency confusion candidates and Discord stealers were also taken down. Once again, users of Nexus Firewall remain protected from open source attacks like these.

3. Hundreds of mystery 'placeholders' every week

Whenever npm takes down a malicious package, an empty placeholder package is placed in lieu of the removed package, and the placeholder typically has just one version: '0.0.1-security' or '0.0.2-security.'

For example, after we reported the malicious 'discord.js-selfv14' package to npm, an empty placeholder page and package were placed in its place, with a single version.

But in an interesting pattern observed lately, we are seeing hundreds of real-sounding npm packages being published to the npmjs.com registry multiple times a week. These packages often get picked up by flagged by our automated malware detection bots.

But, each of these packages, such as 'nodejs-gcloud-pubsub-module', are empty and contain no malicious code. These are placeholder packages with one twist: for each of these placeholders, npm has published and removed hundreds of placeholder versions in a short span of time for no obvious reason.

To illustrate the example better, the aforementioned package, 'nodejs-gcloud-pubsub-module,' assigned sonatype-2022-2461, has had the following versions published for it over time.

Each of these versions are empty, with no version ever known to contain malicious code.

An npm representative clarified to Sonatype: "Please know that the packages are made, and used, by npm staff for various testing purposes. They are not malicious, and you and your team does not need to report them to us in the future."

A plausible theory is, in addition to running security tests, npm is reserving package names that are identical to those of known private packages. In this manner, attackers are no longer able to conduct dependency confusion or typosquat attacks—at least against a subset of private packages that are known to npm.

4. NPM fixes bug allowing 'maintainer' tampering

npm has fixed a logical flaw that enabled an attacker on the npm registry to add anyone, and any number of npm users, as 'maintainers' to their malicious project. The attacker could then remove themselves from the list of project maintainers to pass their malicious creation as more trustworthy.

To a developer, the package would now look like it was created by the newly-added maintainers, not the attacker.

In a PoC test, security researcher Yakir Kadkoda of Aqua Security published a mock package 'fb_npm_package' to npm and added 'Facebook' (Meta) and 'npm' as the package's maintainers. Kadkoda then removed himself from the maintainers' list, causing his package to appear as if it had been published by these popular organizations.

Although GitHub has now resolved the issue and replicating the attack is no longer a possibility, npm users are advised to verify that all projects listed under their accounts were indeed added by them.

"npm users should check that all the packages that are listed under their name truly belong to them, to make sure they weren't added to any projects without their consent," warns the researcher.

Tags: vulnerabilities, Nexus Firewall, featured, DevZone

Written by Ax Sharma

Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.