This Week in Malware—July 15th Edition

July 15, 2022 By Ax Sharma

2 minute read time

This Week in Malware we discovered and analyzed multiple PyPI and npm packages that are either dependency confusion candidates, prank packages, contain PoC reverse shell code, or were otherwise flagged as suspicious for containing extensive obfuscation without good reason.

These packages are listed below:

@contasimples/simples-react-ui
@vrtnu/react-native-theo-player
@vrtnu/web-components
Alexsecdemo
api-discord.js
apollo.console
careem-captain-earning-experience
com-raisin-customer-new-message-ips
com.alice.adonis
crashtravel-utilities
deere-i18n
dw-header-footer-paypal
eslint-plugin-internal
header-footer-paypal
html-live-player
hwzpgf
indy-vdr-shared
k0s
mediasoup-sdp-bridge
mongodb-stitch-browser-testutils
mozi-metrics
patrick-test2
percy-web
postman-echo-nock
ppreact-lib
redox-phone-support
remotepshell
shared-dam-app
shas
skd64
sm-cesium
wm-cookies-api
wm-publish-statuses

Turn on Nexus Firewall for automatic protection

This discovery follows our last week's report of malicious Python packages that stole Telegram cache files and set up illicit Remote Desktop (RDP) accounts on Windows systems.

As a DevSecOps organization, we remain committed to identifying and halting attacks against open source developers and the wider software supply chain, like the ones discussed above.

Users of Nexus Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds. 

U-cofx0-oAHuk7B8hQ_0YBbx7E9LQSW04uag5iP4Q7mdyUWkjohGvAiYYykP8LnvXzbz7CUADYOIt3X4KVAozG7Sxz7PFEffVVl_TP2LufuKfXcPzVvjvk3Br_IPtFK9776-HbUE

Nexus Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in the works, thereby keeping your software supply chain protected from the start. 

Sonatype’s world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.

Tags: vulnerabilities, npm, PyPI, malware prevention, DevZone, This Week in Malware

Written by Ax Sharma

Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.