![]() ![]() When seen in combination, however, they’re usually supporting malicious functionality.” It is true: None of those capabilities, individually, are malicious. “For example, open-source packages that contain hard-coded IP addresses in their code, while also executing commands and writing data to files, in our experience, usually turn out to be malicious. ![]() “In the course of analyzing millions of suspicious packages, the ReversingLabs team has identified a number of combinations of behaviors that, when seen together, are highly indicative of malicious activity,” the researchers said in a report. In fact, the rogue package even contained a link to agent-base’s GitHub page, possibly to appear more legitimate. A code comparison revealed that nodejs-encrypt-agent was just a copy of agent-base’s code base with a few modifications. This is a legitimate package whose most popular version on the registry is 6.0.2 with over 20 million downloads. When the researchers searched for agent-base it all made sense. Second, the first version of the package uploaded to the registry was 6.0.2, which is unusual because new packages typically start out with a low version like 1.0 or even lower. First, the name of the package in the npm registry was different from that declared in its readme.md file: agent-base. This was the case with a package called nodejs-encrypt-agent that recently caught the attention of researchers from software supply chain security firm ReversingLabs because it displayed a combination of suspicious characteristics and behaviors. This technique involves copying a legitimate package, adding malicious code to it and publishing it with a different name that’s a variation of the original in the hope that users will find it when searching for the real package. Effective use of typosquatting on malicious npm packagesĪttackers attempt to trick users into downloading malicious packages in several ways, and typosquatting is one of the most popular because it doesn’t take a lot of effort. Researchers recently identified two legitimate looking packages that remained undetected for over two months and deployed an open-source information stealing trojan called TurkoRat. Despite efforts taken in recent years to proactively monitor public software repositories for malicious code, packages that bundle malware continue to routinely pop up in such places. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |