This Week in Malware - Almost 100 Packages

September 16, 2022 By Aaron Linskens

2 minute read time

This week in malware we discovered and analyzed over seven dozen packages flagged as malicious, suspicious, or dependency confusion attacks.

Malicious packages caught by Sonatype

We caught the following this week via Sonatype’s automated malware detection system, offered as a part of Nexus Firewall:

28hsiwhji
@arkadium/eagle-user-client
@ay-cms/cms-web-sdk
@bi-crm/api
@bi-crm/config
@bi-crm/gcloud
@bi-crm/logging
@bi-crm/services
@bi-crm/util
@cloud-panel/add-on-utils
@cloud-panel/components
@cloud-panel/element-theme-scayle
@cloud-panel/icons
@cloud-panel/single-spa-vue
@cloud-panel/tailwind-base
@creditkudos/design-foundations
@cseousage/cseousagetelemetrymodel
@elisaid/elisaid-js-client
@iamexperiences/ecos-telemetry
@iamexperiences/react-auth
@iamexperiences/suite-header
@m365-feedback/scripts
@newfold-labs/wp-module-ecommerce
@test-cms/ui-library
aws-xray-sdk-fastify
beaker-virtual-fs
bls-signer
browserify-snap
btcrelay-sol
builtin-pages-lib
chimera-dom
chrome-ssh-agent
ciscosparksdk
com.atteneder.gltfast
com.unity.film-internal-utilities
com.unity.selection-groups
common-web-frontend-styling
core-better
docusaurus-plugin-name
dogwhohacks-research-security-do-not-install
ember-cli-htmlbars-3
endpoint-sdk
faustwp
fire-marshal-ebay
fleetrouting-app
fleetrouting-app-backend
ganache-cli-coverage
hackmebankdkorrrevshell24hagain
herokujs009
hyrule-react-commons
jose-openid-client
kashi
lldb-vscode
medtimeline
monorepo-base
neurosoftmaliciouspackage
node_resolve_main
outline-site
package-watcher
pages-plugins-example
pocketnet
polkabtc-ui
portableonboarding
react-router-stable
react18
rhyselsmore-research-security
rhyselsmore-research-security
sa-docs-to-json
sample-travis-ci
starknet-dai-keeper
stitch-fix-men
tessssssssss
test_swarthy
testfromhere
tiffany-contracts
ts-petstore-client
uol-host-ui
vendors-stub
vulnerable-dependency
wagmi-example
workers-chat-demo
wrangler-dev-api-app
www-error
www-search
www-server
zalopay-api
zohocomponents-angular

These discoveries follow our report last week of dependency confusion candidates published as proof-of-concept (PoC) exercises by security enthusiasts and bug bounty hunters.

Turn on Nexus Firewall for Automatic Protection

As a DevSecOps organization, we remain committed to identifying and halting attacks, such as those mentioned above, against open source developers and the wider software supply chain.

Users of Nexus Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.

A flowchart representation of how Nexus Firewall works

Nexus Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in progress, thereby keeping your software supply chain protected from the start. 

Sonatype’s world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.

Tags: vulnerabilities, PyPI, malware prevention, DevZone, This Week in Malware

Written by Aaron Linskens

Aaron is a technical writer on Sonatype's Developer Relations team. He works at a crossroads of technical writing, developer advocacy, software development, and open source. He aims to get developers and non-technical collaborators to work well together via experimentation, feedback, and iteration so they can build the right software.