This week in malware, we discovered and analyzed 135 packages flagged as malicious, suspicious, or dependency confusion attacks in npm and PyPI registries.
Malicious packages caught by Sonatype
We caught the following this week via Sonatype's automated malware detection system, offered as a part of Sonatype Repository Firewall:
0000-util-logger-js
5to6-exports
7h3n00b2
@aaakca/myf
@aszxc/npmexp
@fabric-design/components-legacy
@linetoday/uit-ad
@malware-test-felly-dauby-torte-yarrs/test-mlw3-felly-dauby-torte-yarrs
@malware-test-hithe-briar-chimb-marcs/test-mlw3-hithe-briar-chimb-marcs
@malware-test-rugby-miasm-weest-halva/test-mlw3-rugby-miasm-weest-halva
@malware-test-years-ogams-feign-feral/test-mlw3-years-ogams-feign-feral
@octo-org/octo-app
@trimoz/trimoz-api-wrapper
@trimoz/trimoz-vue-error-handling
@zyro-inc/eslint-config-zyro
affinity-ui-library
alias-for-vue3
apl-client
apl-client123
apl-client12345
app_assets
bahaha
binary-bot
byte5432
byte54321
bytectffe1w0b
bytectffe1w0c
bytectffe1w0d
bytectffe1w0e
bytectfxwan4n
cccctftest
ccctftest
chia-docs
components-theme-editor
console_colored
deriv-api-product
dup-glob
ech0
eslint-config-keep
evil-test-ksvnerwg
fe-extension
fetch-safer
finn-style
flashloan
fpsboost
frontend-libraries
fuctionjs
fuctioon
fuctioons
gkjzjh146
gkjzjh1462
gkjzjh1463
gkjzjh1464
godshack
godshack2
godshack3
gramin-npm
h3rmesk1t-npm-evil
hibyte
hkcc
hsqyyds
hyperwallet-node
icondepan
informationdc
javastoreid
jiangexp
jqueryprotectjs
kakau-infos
lengf233
linux-libs
logoiconic
material-tailwindcss
mesbahxy
mianlmao
mianooo
mianshutdown
miantest2
mihoyo-ui
mustfa_demo1
myapp-by-7h3n00b
namatnawbyteweb1
namatnawbyteweb2
namatnawbyteweb3
namatnawbyteweb4
namatnawbyteweb5
namatnawbyteweb6
ngdraggable-coyo
nonexistantpackageasdfgh
npm_windows
npmtest-v1nd
pages-functions-with-routes-app
polkadot-staking-dashboard
pygradient
s23fun
sfos-ui
shanghe
skyflowelements
spicy-sections
storeid
storeidcloud
t0jcl
tabulateboto3
tangeshaiou
test-mlw1-felly-dauby-torte-yarrs
test-mlw1-hithe-briar-chimb-marcs
test-mlw1-jehad-foils-sirih-nodal
test-mlw1-roosa-seize-mured-fyrds
test-mlw1-rugby-miasm-weest-halva
test-mlw1-tench-fango-quack-embow
test-mlw1-years-ogams-feign-feral
test-mlw2-felly-dauby-torte-yarrs
test-mlw2-hithe-briar-chimb-marcs
test-mlw2-jehad-foils-sirih-nodal
test-mlw2-pated-sedge-flyte-conge
test-mlw2-rugby-miasm-weest-halva
test-mlw2-tench-fango-quack-embow
test-mlw2-years-ogams-feign-feral
tn-moment
trading-tips
trivird
trivird111
v2ish1yan
v2ish1yan-shell
vertx-rest-storage-editor2
wp-module-secure-passwords
wumonster
wumonster_shell
xuxexptest
y0ngtest
yessirmian
yyzreverseshell1
yyzreverseshell2
yyzreverseshell3
yyzreverseshell4
zzz-hello
These discoveries follow our report last week of over five dozen new packages discovered.
Turn on Sonatype Repository Firewall for automatic protection
As a DevSecOps organization, we remain committed to identifying and halting attacks, such as those mentioned above, against open source developers and the wider software supply chain.
Users of Sonatype Repository Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.
Sonatype Repository Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in progress, thereby keeping your software supply chain protected from the start.
Sonatype's world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.
