HQ/EMEAFind out how we can help your business
Several npm packages have acquired over a thousand downloads from developers globally. Based on reports, the compromised npm packages contained an open-source information stealer malware dubbed TurkoRAT.
Moreover, the packages stayed within the npm repository for about two months before the researchers spotted them recently. The duration of the stay is because of the low detection rate and the well-obfuscated malware in the package.
Researchers explained that the infectious packages are the axios-proxy, nodejs-encrypt-agent, and nodejs-cookie-proxy-agent. Unsuspecting developers have already downloaded the packages for about 1,200 instances.
The threat actors distributed the packages in various versions to reach more victims. Developers typically tend to quickly adopt the latest version of a package without considering or accessing the situation of the npm package.
NBodejs-cookie-proxy-agent impersonated another legitimate npm module called agent-based and currently has more than 25 million downloads.
TurkoRAT is an in-development malware strain that could still inflict damage.
The TurkoRAT stain is one of the numerous open-source malware families that threat actors could test and modify.
The malware could harvest sensitive information like user login credentials and cryptocurrency wallets. Furthermore, TurkoRAT could include anti-detection features to make threat analysis more challenging.
Malicious npm packages have gained traction for the past few months, and threat actors have used these tools to execute supply chain attacks.
Earlier this year, a threat group utilised a Python [.]whl file to disseminate the KEKW malware. The developers designed the malware to harvest system-related data like login details, device information, Windows product key and version, IP address, HWID, RAM capacity, geographical location, and Google Maps details.
In a separate incident, threat actors bombarded the npm repository with blank malicious npm packages to inflict a DoS campaign on open-source websites. Phishing links have also infiltrated rouge npm modules. The attackers utilised automation to generate names and project descriptions of modules.
The open-source packages are still a threat to organisations despite admins removing them as soon as they are spotted. In addition, miscreants commonly mimic legitimate packages to attract more developers and infect them.
Developers should be cautious of downloading packages to avoid infection from these threats.
