This Week in Malware—show me your secrets!

June 24, 2022 By Ax Sharma

3 minute read time

This Week in Malware, highlights include malicious Python packages that not only exfiltrate your secrets—AWS credentials and environment variables but rather upload these to a publicly exposed endpoint. Also stated below are some more dependency confusion packages caught by us.

1. Python packages upload your AWS keys, env vars to the web

Multiple Python packages caught by Sonatype this month upload your AWS credentials and environment variables to a publicly exposed endpoint.

These malicious packages, assigned sonatype-2022-3475 and sonatype-2022-3546 are:

Analyzed by Sonatype security researchers Jorge Cardona and Carlos Fernández, some of these packages either contain code that reads and exfiltrates your secrets or use one of the dependencies that will do the job.

Read the dedicated blog post on the topic to learn more.

2. Dependency confusion packages

This week's dependency confusion findings include npm packages:

cvent-web-components
dapp-inter
dapp-inter-agservers
dapp-inter-ui
megaman0072

Nexus Firewall users remain protected

This discovery follows our last week's report of several dozen malicious packages including npm package 'flame-vali' that attempted to disable Windows Defender multiple times before dropping a trojan.

Sonatype remains at the forefront of timely discoveries and reporting attacks targeting OSS developers, like the ones discussed above.

Users of Nexus Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds. 

U-cofx0-oAHuk7B8hQ_0YBbx7E9LQSW04uag5iP4Q7mdyUWkjohGvAiYYykP8LnvXzbz7CUADYOIt3X4KVAozG7Sxz7PFEffVVl_TP2LufuKfXcPzVvjvk3Br_IPtFK9776-HbUE

Nexus Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in the works, thereby keeping your software supply chain protected from the start. 

Sonatype’s world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.

Tags: vulnerabilities, Nexus Firewall, PyPI, malware prevention, DevZone, This Week in Malware

Written by Ax Sharma

Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.