Security news that informs and inspires

Malicious Code Found in Package Repositories

Over the past few months, attackers have increasingly targeted the software supply chain by populating package managers and code marketplaces with malicious code.

Most recently, RubyGems maintainers removed two malicious gems from the repository of Ruby code packages and libraries. The gems pretty_color and ruby-bitcoin contained code which replaced cryptocurrency wallet addresses present in the clipboard of the infected Windows machine with a wallet address belonging to the attacker. The victim is unlikely to notice that the wallet address copied is different from the one being pasted, allowing the attacker to intercept transactions and steal cryptocurrency funds.

Security firm Sonatype, which scans open source components, found that pretty_color was an “identical replica” of a known package colorize, except it also contained a file version.rb with obfuscated code to run the malicious script. A scrupulous developer checking the gem’s contents would have seen the code to set text color, background color, and text effects, but could have missed the implications of the obfuscated code.

The problem of malicious components is not limited to just RubyGems, as malicious packages have been found in repositories for Python (such as PyPl), JavaScript (npm) packages, and even Docker images. A dynamic analysis of publicly available Docker images on Docker Hub found about 6,500 malicious images out of the 4 million images hosted in the repository, security startup Prevasio said earlier this month. Images included cryptominers, malicious JavaScript packages, hacking tools, and Windows malware. Many of them didn’t contain malicious code, but had instructions to download the malware when the images are run.

npm Issues

Earlier this month, npm removed two JavaScript packages which contained code to install a remote access Trojan on developer machines. If the developer imported and installed either jdb.js and db-json.js, a script performed basic reconnaissance of the infected machine and attempted to download an executable file. Once downloaded, that executable whitelisted the command-and-control server in the local Windows firewall in order to download the njRAT (also known as Bladabindi) malware. This Trojan has been previously used in espionage and data theft operations since 2015.

"The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it," the npm team wrote in an advisory at the time. "All secrets and keys stored on that computer should be rotated immediately from a different computer.”

Both packages were downloaded more than 100 times before their malicious behavior was detected by Sonatype, which scans package repositories on a regular basis. That sounds like a small number, but these types of attacks don’t need a large number of downloads to be effective. These attacks involve tricking developers into downloading packages, and not injecting malicious code into legitimate components. It is relatively easy to keep tossing malicious libraries onto repositories and collecting victims a few at a time.

A quick rundown of npm advisories shows about a dozen JavaScript packages have been found and removed from the repository since August. A package claiming to provide an interface to the Fall Guys: Ultimate Knockout game API was removed in August because it was actually stealing sensitive files from the infected users' browsers and Discord applications (fallguys, 300 downloads). Four libraries tried to collect user details and upload stolen data to a public GitHub page (electorn, 255 downloads; lodashs, 78 downloads; loadyaml, 48 downloads; loadyml, 37 downloads) in September. Four npm packages were removed in October which opened reverse shells (backdoors) on infected computers (plutov-slack-client, nodetest199, nodetest1010, npmpubman: over 1000 downloads in all). A package removed in November tried to open backdoors on infected systems (twilio-npm, downloaded 370 times). Another package removed in November was an updated version of fallguys, Sonatype said (discord.dll, 100 downloads).

The plutov-slack-client removed in October pretended to provide a JavaScript Slack interface for Node.js applications. In actuality, it opened an external connection, giving attackers an entry point to the server running the application. It was downloaded only for a few weeks, but attackers potentially had access to data of hundreds of victims.

Typosquatting Tricks

Attackers are utilizing different types of tricks to trick developers into using malicious software components into their applications, including typosquatting. Typosquatting refers to taking advantage of typing mistakes by using names that are similar to other packages. Typically, if someone makes a mistake typing the name of a component, then that person should get an error message because it doesn’t exist. Attackers are creating components using common variations, which means there are no error messages, and the person doesn’t know about the mistake.

The four JavaScript packages removed from npm in September are examples of typosquatting. The electorn package was a misspelling of electron, a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. were misspelled versions of popular packages and was a form of typosquatting attack.

Back in 2019, ReversingLabs found bb-builder, a JavaScript package which stole user credentials, and surmised it was likely trying to trick developers looking for the bb-build package, wrote Tomislav Peričin, the chief software architect and co-founder at ReversingLabs.

Attackers seeded RubyGems with more than 760 malicious gems using names just a bit different than the standard code libraries, researchers at ReversingLabs said back in April. The atlas-client gem, which was trying to do the same thing as pretty_color to swap out cryptomining wallet addresses in the clipboard, was a misspelling of the atlas_client gem, which is used to access an API. The malicious gem was downloaded over 2,000 times.

Polluted repositories cause significant damage to software security because the malicious components can have a cascading effect. Even if the developer doesn’t include those specific packages in the application, if those packages are included in some other package that the application is using, then that application becomes compromised. Dependency scanning tools, like what GitHub offers, help developers discover these problematic nested components.

Software repositories, package managers, and vulnerability databases are all necessary components of the software supply chain, as are the developers and end users who leverage them,” the Linux Foundation said in February. “Unless and until the weaknesses inherent within their current designs and procedures are addressed, however, they will continue to expose the companies and developers who rely upon them to significant risk.