The use of open source repository to spread malicious software continues to flourish, as researchers have found 17 more malicious packages in an open source repository.
The malicious code was found in NPM, where 11 million developers trade more than 1 million packages. Many of the 17 malicious packages appear to have been spread by different threat actors who used varying techniques and amounts of effort to trick developers into installing malicious wares instead of the benign ones intended.
A few years ago, this latest discovery was first spotted, in which criminals sneak information stealers, keyloggers, or other types of malware into packages available in NPM, RubyGems, PyPi, or another repository. The malicious package has a single letter different from a legitimate package. The package being impersonated and the malicious package both have the same code and function.
A ripe attack.
JFrog researchers wrote on Wednesday that they are witnessing a recent onslaught of malicious software hosted and delivered through open-source software repositories. The repository is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. The ease of installation via automation tools such as the npm client provides a ripe attack vector.
Most of the packages were flagged for stealing information. People use the platform to communicate through text, voice, and video. Data from a hacked server can be used as a command and control channel. Credit card data was stolen from hacked accounts.
Two packages came from an author. They masquerade as modifications of the popular legitimate library, which allows interaction with the Discord API. The malicious code is injected into one of the package files after the original discord.js library is incorporated as its base.
Advertisement
The researchers wrote about it.
The obfuscated version of the code contains every possible method of obfuscation, with more than 4,000 lines of unreadable code.
>
We were able to deobfuscate the package and show that it is very simple to use, as the final payload simply searches for strings in the local storage folders of well-known browsers and Discord-specific folders. Any found token is sent back via internet to the hardcoded server.
Fix-error is a package that claims to fix errors. It was easier for the researchers to obfuscate the malicious code that was contained in it. The PirateStealer, an app that stole credit card information, login credentials, and other private data, was found to be a stolen version. It works by injecting malicious jаvascript code. The code is used to spy on the user and send the stolen information to a hardcoded address.
Prerequests-xcode is a package that contains remote access trojan functions. The researchers wrote about it.
The package contains a port of Node.js.
>
An attacker can control the victim's machine with the help of DiscordRAT. In this case, it is necessary to inspect the list of available commands to understand the RAT's function.