"Researchers Uncover 700+ Malicious Open Source Packages"

Security researchers at Sonatype have discovered another sizeable haul of malicious packages on the npm and PyPI open source registries, which could cause issues if unwittingly downloaded by developers.  The researchers found 691 malicious npm packages and 49 malicious PyPI components containing crypto-miners, remote access Trojans (RATs), and more.  The discoveries by the firm’s AI tooling brings its total haul to nearly 107,000 packages flagged as malicious, suspicious, or proof-of-concept since 2019.  It includes multiple packages containing the same malicious package.go file, a Trojan designed to mine cryptocurrency from Linux systems.  According to the researchers, sixteen of these were traced to the same actor, trendava, who has now been removed from the npm registry.  Separate finds include PyPI malware “minimums,” which is designed to check for the presence of a virtual machine (VM) before executing.  The idea is to disrupt attempts by security researchers, who often run suspected malware in VMs, to find out more about the threat.  The researchers noted that the malware is designed to check if the current operating system is Windows.  It then checks if the environment is not running in a virtual machine or sandbox environment.  The researchers noted that if the environment is a virtual machine, the code immediately returns without executing any further.  The researchers also discovered new Python malware combining the capabilities of a RAT and an information stealer.  During their research, the researchers also found a suspicious-looking developer known as “infinitebrahamanuniverse” who uploaded over 33,000 packages self-described as sub-packages of “no-one-left-behind,” or “nolb.” The latter was removed last week after the npm security team found that it depended on every other known publicly available npm package.  The researchers warned that if you check any npm package right now, you’ll probably find under the dependents tab one of the nolb packages uploaded by infinitebrahamanuniverse.  The researchers stated that by adding it to a typo-squatting package, that a threat actor can launch a denial-of-service (DoS) attack against a company’s download channel, which can sabotage developers’ time by forcing them to wait for their npm environment to be ready.  The researchers noted that installing a package with this dependency can also cause excessive resource consumption.
 

Infosecurity reports: "Researchers Uncover 700+ Malicious Open Source Packages"