A package called ‘aabquerys’ was discovered in an open-source JavaScript npm repository that uses typosquatting techniques to allow the download of malicious components.
The findings are from the following security researchers: reversing labThey stated that aabquerys was able to download second and third stage malware payloads to the infected system.
“The package name aabquerys is also similar to the name of another legitimate npm module: abquery, evidence of ‘typosquatting’, or sowing confusion and tricking developers into using a malicious package instead of a legitimate package. Evidence of an attempt to get you to download a package. “of Recommendation The company announced Thursday.
According to a technical article by ReversingLabs threat researchers Lucija Valentic and Karlo Zanki, the malicious package consists of two files, one of which is obfuscated by a JavaScript obfuscator.
“Open source code is intended to be viewable by anyone, so attempts to disguise or hide functionality within open source modules should be investigated,” the researchers wrote.
“For aabquerys, the obfuscated code in question was easily deciphered. It revealed [JavaScript] A file that has demonstrably malicious behavior. “
According to ReversingLabs, opening the file on a PC displayed a fake web browser crash message and a link leading to a download of the second stage malware used in multiple malware campaigns. This sideloaded a dynamic link library (DLL) file that downloaded a third stage malicious component.
The file, called “Demon.bin”, is a malicious agent with various Remote Access Trojan (RAT) capabilities and an open-source post-exploit command and control (C2) framework by malware author C5pider. Reportedly developed using Havoc.
“Since discovering the aabquerys package, npm has removed it from its repository along with other malicious packages,” writes Valentic.
At the same time, discoveries of malicious packages (and other evidence) by responsible maintainers underscore the growing risk of malicious packages hiding in open source repositories such as npm, PyPI, and GitHub. explains the researchers.
“This risk requires development organizations to pay greater attention to telltale signs of malicious or suspicious behavior within the open source supply chain.”
A good example, Sonatype published a new study A few weeks ago, it was suggested that over 400 malicious packages were found on npm in December, with dozens more found in PyPI repositories.
