Researchers found a pair of malicious npm packages that gathered over a thousand downloads by developers worldwide. The packages in question concealed an open-source information stealer called TurkoRAT.
Due to their stealth and very low detection rate, these packages were present on the npm repository for over two months before being discovered by researchers.
The packages
The packages—nodejs-encrypt-agent, axios-proxy, and nodejs-cookie-proxy-agent—were collectively downloaded 1,200 times.
They were distributed in different versions to reach more victims. Developers often tend to quickly adopt the latest version of a package without thorough evaluation or consideration.
Nodejs-encrypt-agent masqueraded as another legitimate npm module known as agent-base, which has over 25 million downloads.
About TurkoRAT
Researchers highlight that TurkoRAT is one of many open-source malware families offered for testing purposes and can readily be modified for malicious purposes.
It is capable of harvesting sensitive data, including user login credentials and crypto wallets, from infected systems. TurkoRAT, furthermore, includes various anti-detection features to make it hard to analyze in sandbox environments.
Malicious npm packages raise concerns
Cybercriminals have been increasingly using malicious packages to launch malware and software supply chain attacks.
In May, threat actors were found disseminating KEKW malware via malicious Python .whl files. The malware was designed to acquire system-related data such as login details, computer names, Windows product key and version, RAM capacity, HWID, IP address, geographical location, and Google Maps information.
In another incident, cybercriminals flooded the npm repository with blank malicious packages to disrupt the websites via DoS attacks.
Separately, phishing links were also distributed via thousands of rogue npm modules. Threat actors leveraged automation to generate names and project descriptions of modules.
Conclusion
Though malicious packages are removed as soon as they are discovered, open-source packages remain a threat to organizations. Moreover, attackers largely mimicking legitimate packages have been observed gaining more success. Hence, developers must heed the authenticity of the packages before downloading them.