Unveiling TurkoRat Malware In Node.js NPM Packages: Developers Be ALERT”
Two malicious packages discovered in the npm package repository expose the presence of TurkoRat, an open-source information thief virus.
The packages, which went by the names nodejs-encrypt-agent and nodejs-cookie-proxy-agent, were downloaded about 1,200 times combinedly before they were found and pulled down after more than two months.
TurkoRat is a data thief with the ability to gather private information like login credentials, website cookies, and information from cryptocurrency wallets, according to ReversingLabs, which broke down the campaign’s specifics.
While nodejs-encrypt-agent already had the malware installed, it was discovered that nodejs-cookie-proxy-agent had the malware covered up as a dependency called Axios-proxy.
The list of rogue packages and their associated versions are listed below –
- nodejs-encrypt-agent (versions 6.0.2, 6.0.3, 6.0.4, and 6.0.5)
- nodejs-cookie-proxy-agent (versions 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, and 1.2.4), and
- Axios-proxy (versions 1.7.3, 1.7.4, 1.7.7, 1.7.9, 1.8.9, and 1.9.9)
Lucija Valentić, a threat researcher at ReversingLabs, says: “TurkoRat is just one of many open source malware families that are offered for ‘testing’ purposes but can readily be downloaded and modified for malicious use, as well”.
The results highlight the persistent danger of threat actors coordinating supply chain attacks via open-source packages and tricking developers into installing potentially malicious programs.
Lucija Valentić said:” Development organizations need to scrutinize the features and behaviors of the open source, third-party and commercial code they are relying on in order to track dependencies and detect potential malicious payloads in them.”
In addition to illustrating the increased skill of threat actors, the rise in the deployment of malicious npm packages fits within a larger pattern of exploding attacker interest in open-source software supply chains.
Even more concerning, Checkmarx researchers last month presented fresh research that demonstrated how threat actors may counterfeit legitimate npm packages by “using lowercase letters to mimic uppercase letters in the original package names” (for example, memoryStorageDriver vs. memory storage driver).
Researchers Teach Zornstein and Yehuda Gelb said: “This malicious package impersonation takes the traditional ‘Typosquatting,’ attack method to a new level, where attackers register package names that consist of the exact same letters as the legitimate ones, with the only difference being capitalization, This makes it even harder for users to detect the deception since it can be easy to overlook the subtle differences in capitalization.”
Checkmarx, a business that specializes in supply chain security, discovered that 1,900 out of 3,815 packages with capital letters in their titles might have been vulnerable to copycat attacks if a fix wasn’t deployed by the npm maintainers to correct the issue, which has been present since December 2017, according to Checkmarx.
The discovery comes after another alert from Check Point that named three malicious extensions that were available for download from the VS Code extensions marketplace. As of May 14, 2023, they have been eliminated.
The add-ons, which went by the names prettiest java, Darcula Dark, and python-vs code, were downloaded over 46,000 times in total and had features that let threat actors collect user names and passwords, system data, and set up a remote shell on the victim’s computer.