Two malicious npm packages concealed an infostealer called TurkoRat for two months before they were detected by researchers and removed.
The two packages (nodejs-encrypt-agent and nodejs-cookie-proxy-agent) are only the latest malicious use cases by bad actors leveraging Node Package Manager (npm), which is the package manager for the Node.js JavaScript platform. While the packages had limited downloads during their two months of availability - with nodejs-encrypt-agent being downloaded 500 times and nodejs-cookie-proxy-agent being downloaded 700 times - researchers said that the longer term impact of TurkoRat infections on an unknown number of developer systems “is difficult to measure.”
“Following the ReversingLabs research team's detection of the malicious npm packages, the affected packages were removed from npm and are no longer available for download,” said Lucija Valentić, software threat researcher with ReversingLabs on Thursday. “However, these latest discoveries, which lurked on the popular npm platform for two months, underscore the ongoing risk of supply chain attacks via open source packages.”
Researchers discovered the malicious packages in the second half of April and immediately notified npm. The packages were removed within days of discovery. These malicious packages were developed to target users of legitimate, commonly used packages, with nodejs-encrypt-agent mimicking the agent-base package and nodejs-cookie-proxy-agent mimicking node-cookie-proxy-agent.
The malicious packages stuck out to researchers due to irregularities in their names and version numbers. The package name of nodejs-encrypt-agent differed from the name listed in the readme.md file (agent-base), and the package’s oldest version number - which was published two months before it was discovered - was oddly high (version 6.0.2). With version 6.0.2 of the legitimate agent-base package being downloaded over 20 million times, it appears the bad actors were hoping to tap into the popularity of this package.
“As we’ve noted, high version numbers are popular among malware authors hoping to infiltrate open source repositories via typosquatting and other supply chain attacks, where hurried developers are often quick to grab the latest edition of a package, as designated by the version number,” said Valentić.
Upon further investigation into the packages, researchers found that they contained a malicious PE file within the index.js file that was set to execute TurkoRat, an open-source malware family designed to steal data spanning from website cookies to cryptocurrency wallets. This malware is highly customizable, said Valentić, and a bad actor can alter its configuration and capabilities.
“There was little question that the PE discovered within the npm package was malicious. The list of malicious or suspicious behaviors observed was long, with features designed to steal sensitive information from infected systems including user login credentials and crypto wallets as well as fool or defeat sandbox environments and debuggers that are used to analyze malicious files,” said researchers.
Malicious npm packages have been discovered frequently over the past year. In July 2022, researchers found that more than two dozen npm packages, with some dating back to at least December 2021, contained code designed to steal form data from end users of the applications or websites that were deploying the malicious packages. In March 2022, researchers uncovered activity by an attacker uploading more than 200 malicious npm packages that were designed to steal personally identifiable information.
“From the perspective of threat detection and supply chain security, organizations should pay attention to the wide assortment of ‘tells’ that these packages exhibited and that were clear signs that they could be malicious,” said Valentić. “Typosquatting attacks hinge on developer inattention to small details in naming (‘node’ versus ‘nodejs’ in one instance). However, other details are easier to spot even for harried developers, including suspicious versioning, discrepancies in naming, smaller than expected downloads and dependencies and more.”