Recently, two packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent were detected on the npm package repository. Shockingly, these packages contained a dangerous information stealer malware known as TurkoRat.
These malicious packages managed to remain undetected for over two months, during which they were downloaded approximately 1,200 times before being identified and removed.
The Stealthy Tactics of TurkoRat Malware
TurkoRat, the information stealer malware embedded in the nodejs-encrypt-agent package, possesses the capability to gather crucial data such as login credentials, website cookies, and cryptocurrency wallet information. Additionally, the nodejs-cookie-proxy-agent package disguised the trojan by camouflaging it as a dependency called axios-proxy.
To further deceive users, nodejs-encrypt-agent disguised itself as the legitimate npm module agent-base, which has been downloaded over 25 million times. This deceptive tactic aimed to trick developers into unwittingly downloading the malware.
List of Rogue Packages and Versions
The following is a list of the malicious packages and their associated versions:
- nodejs-encrypt-agent (versions 6.0.2, 6.0.3, 6.0.4, and 6.0.5)
- nodejs-cookie-proxy-agent (versions 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, and 1.2.4)
- axios-proxy (versions 1.7.3, 1.7.4, 1.7.7, 1.7.9, 1.8.9, and 1.9.9)
Supply Chain Attacks and the Importance of Vigilance
Lucija Valentić, a threat researcher at ReversingLabs, emphasized the continuous risk posed by threat actors orchestrating supply chain attacks using open source packages. These attacks exploit developers’ trust by enticing them to download potentially untrusted code.
Valentić emphasized the importance of organizations thoroughly examining the features and behaviors of the open source, third-party, and commercial code they rely on. This scrutiny enables them to track dependencies and detect any potential malicious payloads.
Sophistication of Threat Actors and Impersonation Techniques
The use of malicious npm packages aligns with the growing trend of threat actors focusing on open source software supply chains. This pattern underscores the increasing sophistication of these malicious actors.
Impersonation Tactics: A New Level of Deception
Researchers from Checkmarx unveiled a concerning discovery. Threat actors can now impersonate authentic npm packages by capitalizing on the similarity between uppercase and lowercase letters. This method of deception, known as “Typosquatting,” makes it difficult for users to detect the subtle differences in package names.
Threats Beyond npm: VS Code Extensions and Python Package Index
Check Point, a cybersecurity company, recently detected three malicious extensions in the VS Code extensions marketplace. These extensions, prettiest java, Darcula Dark, and python-vscode, were downloaded over 46,000 times and allowed threat actors to steal credentials, gather system information, and establish remote access.
Furthermore, the Python Package Index (PyPI) repository also faced similar risks. Some packages distributed a cryptocurrency clipper malware called KEKW, while typosquatted versions of the popular flask framework contained backdoor functions that enabled remote command execution.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
