NPM Packages Found Hiding Dangerous TurkoRat Malware

NPM Packages Found Hiding Dangerous TurkoRat Malware

Home » Security » NPM Packages Found Hiding Dangerous TurkoRat Malware
NPM Packages Found Hiding Dangerous TurkoRat Malware

In today’s digital development, open-source software has become a trusted ally for developers across the world. However, lurking within its many benefits are potential security threats that every developer should be aware of. One such alarm is centered around harmful packages found in the npm package repository, specifically targeting Node.js users.

NPM Packages: A Wolf in Sheep’s Clothing

Recently, two packages in the npm package repository—nodejs-encrypt-agent and nodejs-cookie-proxy-agent, Were revealed as malicious packages. These packages were hiding a malware known as TurkoRat, an open-source information harvester that can steal login details, website cookies, and even cryptocurrency wallet information. These packages were downloaded around 1,200 times and stayed hidden for more than two months before they were spotted and removed.

One of these, nodejs-encrypt-agent, was cleverly disguised to mimic a legitimate npm module named agent-base, which has been downloaded over 25 million times. The harmful packages and their respective versions include:

PackageVersions
axios-proxy1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, and 1.2.4
nodejs-encrypt-agent6.0.2, 6.0.3, 6.0.4, and 6.0.5
nodejs-cookie-proxy-agent1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, and 1.2.4

The Bigger Picture

This incident is part of a larger pattern where malicious users exploit open-source software supply chains for their illegal activities. This calls for developers to be extremely cautious when using third-party and open-source code, examining their features, behaviors, and dependencies closely to identify any potential harmful payloads.

One increasingly common tactic is the creation of harmful packages that impersonate legitimate ones. In this new take on the traditional Typosquatting attack, attackers register package names identical to real ones but with different capitalization.

The Threat Beyond NPM

The issue extends beyond npm. Recently, three harmful extensions were removed from the VS Code extensions marketplace. Named ‘prettiest java’, ‘Darcula Dark’, and ‘python-vscode’, these extensions were downloaded over 46,000 times, had features that enabled them to steal user credentials and system information, and even create a remote shell on the victim’s machine.

The Python Package Index (PyPI) software repository also found similar threats. Some of these packages were spreading a cryptocurrency malware named KEKW, and others were misspelled versions of popular frameworks, like flask, with backdoor functions built-in, and because of this they stopped new users registration and packages deployment.

Another One Python package named ‘chatgpt-api’ was found to contain a harmful dependency that could steal Discord tokens and hijack cryptocurrency transactions. It cleverly hid its harmful intent by providing the advertised functionality—interacting with OpenAI’s ChatGPT tool.

Conclusion

The increasing use of open-source software comes with its share of risks. While they offer numerous advantages, developers must maintain a heightened sense of vigilance. It’s crucial to scrutinize every piece of third-party code, be it open-source or commercial, for potential harmful payloads. Notably, the npm package repository and other platforms like PyPI and the VS Code marketplace have shown vulnerabilities to such attacks.

Furthermore, developers need to be aware of sophisticated tactics used by hackers, such as mimicking popular packages with identical names but different capitalization. It’s a challenging task, but staying informed about these threats is the first step towards securing your code.

The world of development is fast-paced and ever-evolving. As we continue to rely on open-source software to streamline our workflows, we must also prioritize security. By staying alert to potential threats and incorporating thorough security checks into our development process, we can keep our code safe and our products secure.

Join Our Newsletter!

Join our newsletter to get our latest ebook "Ultimate JavaScript Cheat-Sheet", and Tips, Articles..

We don’t spam! Read our privacy policy for more info.

Join Our Newsletter!

Join our newsletter to get our latest ebook "Ultimate JavaScript Cheat-Sheet", and Tips, Articles..

We don’t spam! Read our privacy policy for more info.

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.