Security researchers found over 400 malicious packages on the popular open source registry npm in December, and dozens more on PyPI.
In a blog post, Sonatype explained that its AI tool uncovered 422 malicious npm packages, mostly focused on data exfiltration through typosquatting or “dependency confusion attacks.” Additionally, 58 malicious packages were detected on his PyPI, including his obfuscated Discord token stealer.
This brings the total number of open source packages flagged as malicious by vendors to nearly 104,000 since 2019.
These open source components have become almost ubiquitous in development projects because they provide a convenient way to reduce time to market. The top four ecosystems currently boast an estimated over 3 trillion requests per year.
However, cybercriminals are increasingly inserting malware into packages in hopes that developers will unknowingly download it.
Some of the malicious packages that came to Sonatype’s attention in December were focused on the macOS developer environment, including an infected version of the cryptographic library Cobo Custody Restful.
“The attackers took advantage of the fact that this package was not officially distributed through the PyPI registry,” explains Sonatype.
“By uploading a compromised version of the same name to PyPI, the attacker hopes that the package manager (pip) used by developers will prefer the malicious version over the canonical GitHub version. .”
Vendors detected six more PyPI packages targeting Python developers using the same tactics that combined the functionality of remote access Trojans and information stealers in novel ways.
“Malicious packages with names like easytimestamp, pyrlogin, disorder, discord-dev, style.py, pythonstyles launch a PowerShell script that fetches the ZIP file and installs the libraries pynput, pydirectinput, pyscreenshot in a RAT fashion. The attacker takes control of the target’s mouse and keyboard and takes screenshots,” explains Sonatype.
Additionally, these malicious packages are also stealers, capable of extracting sensitive information such as stored passwords, cryptocurrency wallet data, and cookies. They are also trying to install cloudflared, a command line tool for Cloudflare Tunnel. This allows remote access to infected machines via Flask-based apps. ”
According to Sonatype’s latest information, Software supply chain situation According to reports, this type of malicious activity has increased by 743% over the past three years.
