Automated malware detection systems have once again flagged several malicious packages lurking in the npm registry.
Masquerading as legitimate JavaScript libraries, the latest round of packages launch cryptominers on Windows, macOS, and Linux machines.
“Once again, this particular discovery is a further indication that developers are the new target for adversaries over the software they write,” writes SonaType, noting that all the packages were published by the same author.
The SonaType researchers reported the malicious packages (named okhsa, klow, klown) to npm, only hours after their release, and they were unlisted by the same day, causing little to no damage.
Unclear intentions
Attacks on public repositories such as JavaScript’s npm, and Python’s PyPI aren’t nothing new, but have increased in their intensity off late. In fact, a recent report concluded that the increase in supply chain attacks aimed at upstream open source public repositories has registered a whopping 650% year on year increase in 2021.
Npm isn’t immune to these infiltrations, and SonaType has previously shared that its automated systems have identified over 12000 suspicious and malicious npm packages since 2019.
What’s interesting about these newly flagged (and subsequently removed) packages is that they didn’t employ any of the usual ploys to trick developers into installing them.
“It isn’t clear how the author of these packages aims to target developers. There are no obvious signs observed that indicate a case of typosquatting or dependency hijacking. “Klow(n)” does impersonate the legitimate UAParser.js library on the surface, making this attack seem like a weak brandjacking attempt,” observe the researchers.
SonaType says it is now expanding malware detection capabilities that caught the packages in npm, to other ecosystems as well, such as PyPI.