This Week in Malware, we continue to see an uptick in outright malicious and dependency confusion packages employing novel tactics. A list of some of the packages caught by Sonatype's automated malware detection systems is given below and more analysis is expected to follow in subsequent blog posts next week.
npm package steals Amazon EC2, Windows SAM credentials
'CyberARK Core PAS (Privileged Access Security) is a prominent access management solution and '@core-pas/cyb-core' in particular appears to target CyberARK developers, as the name suggests.
Except, these dependency confusion packages, assigned sonatype-2022-3360, attempt to exfiltrate sensitive files such as:
A snippet of code contained within '@core-pas/cyb-core' shown below demonstrates how the package goes well beyond the basic proof-of-concept stage when it peeks into these sensitive files.
The data collected is then uploaded to the domain shown below via a POST request:
The list of some more npm dependency confusion packages caught this week is shown below, but this is by no means exhaustive, and dozens of packages are still awaiting analysis by our research team:
These packages were reported to npm by us prior to publishing.
Malicious Python package with encrypted payload
Malicious Python (PyPI) packages caught by us this week include:
As the name suggests, aiohttp-* packages are a recurrent theme of trojans impersonating the AIOHTTP library, as we've discussed earlier. 'roblox-wrapper' is another example of Roblox and Discord malware targeting the gaming community.
The 'very-hackerman' package assigned sonatype-2022-3289, contains an encrypted payload, as analyzed by our security researcher Adam Reynolds.
"The `setup.py` file contains a series of encrypted commands that exfiltrate data from the affected system to a Discord server controlled by the attacker, then attempts to open a reverse shell connection to a remote IP, allowing the attacker to execute OS commands on the compromised host," explains Reynolds.
We reported these packages to the PyPI security team prior to publishing and these were taken down.
Nexus Firewall users remain protected
Sonatype remains at the forefront of timely discoveries and reporting attacks targeting OSS developers, like the ones discussed above.
Users of Nexus Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.
Nexus Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in the works, thereby keeping your software supply chain protected from the start.
Sonatype’s world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.