Security researchers have found another significant amount of malicious packages in the npm and PyPI open source registries that can cause problems if developers download them unknowingly.
In January, Sonatype announced that it had found 691 malicious npm packages and 49 malicious PyPI components, including cryptominers, remote access Trojans (RATs), and more.
In total, around 107,000 packages flagged as malicious, suspicious, or proof-of-concept have been collected since 2019, as discovered by the company’s AI tools.
It contains multiple packages with the same malicious package.go file, a Trojan horse designed to mine cryptocurrency from Linux systems. According to Sonatype, 16 of these were due to the same actor, Trendava, now removed from the npm registry.
Another finding involves the PyPI malware “minimal” designed to check for the existence of virtual machines (VMs) before execution. The idea is to thwart attempts by security researchers, who often run suspicious malware in VMs, to dig deeper into threats.
“This malware is designed to check if the current operating system is Windows. It then checks if the environment is running in a virtual machine or sandbox environment. It does this by verifying the existence of certain files related to and VirtualBox, and by checking for the existence of certain processes commonly used by security researchers,” Sonatype said.
“If the environment is a virtual machine, the code will return immediately without further execution.”
Security vendors have also discovered a new Python malware that combines RAT and information-stealing capabilities.
Finally, we discovered that a suspicious developer known as ‘infinitebrahamanuniverse’ uploaded over 33,000 packages claiming to be ‘no-one-left-behind’ or ‘nolb’ subpackages. . The latter was removed last week after npm security his team discovered it depended on all other publicly known npm packages of his.
“If you check your npm packages now, you may find one of the nolb packages uploaded by ‘infinitebrahamanuniverse’ under the dependencies tab,” warned Sonatype.
“By adding it to the typosquatting package, threat actors can launch denial of service (DoS) attacks against corporate download channels. This can make you wait and block the developer’s time.Installing a package with this dependency can also consume excessive resources.If you are following this series , you should know that such a scenario is not far-fetched.”
