A recent discovery showed two npm packages harbour a dangerous information-stealing malware known as TurkoRat, shedding light on the ongoing risks associated with open-source supply chain attacks. The packages in question, nodejs-encrypt-agent, and nodejs-cookie-proxy-agent, had been downloaded approximately 1,200 times before being identified and removed after two months.
Cybersecurity firm ReversingLabs analyzed the campaign and described TurkoRat as a potent information stealer capable of extracting sensitive data such as login credentials, website cookies, and cryptocurrency wallet information. While nodejs-encrypt-agent contained the malware, nodejs-cookie-proxy-agent disguised the trojan as a dependency named axios-proxy.
What’s particularly alarming is that nodejs-encrypt-agent engineering allows it to masquerade as a legitimate npm module called agent-base, which has been downloaded over 25 million times. The rogue packages and their associated versions include
- nodejs-cookie-proxy-agent (versions 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, and 1.2.4),
- axios-proxy (versions 1.7.3, 1.7.4, 1.7.7, 1.7.9, 1.8.9, and 1.9.9) and
- nodejs-encrypt-agent (versions 6.0.2, 6.0.3, 6.0.4, and 6.0.5)
Lucija Valentić, a threat researcher at ReversingLabs, emphasized that TurkoRat is just one of many open-source malware families that is easily downloaded and repurposed for malicious intent. This discovery highlights the importance for development organizations to thoroughly examine the features and behaviours of the open-source, third-party, and commercial code they rely on to detect potential threats and track dependencies effectively.
The prevalence of malicious npm packages aligns with a larger trend of attackers targeting open-source software supply chains. In a concerning development, researchers from Checkmarx uncovered how threat actors could impersonate legitimate npm packages by manipulating uppercase and lowercase letters in package names. This tactic makes it challenging for users to detect these deceptions, as the differences in capitalization are tricky.
Not limited to npm, similar instances of rogue libraries exist in the Python Package Index (PyPI) software repository. The design of some of these packages promotes a cryptocurrency clipper malware called KEKW distribution. In contrast, others included typo squatted versions of the Flask framework with backdoor functions enabling remote command execution.
Additionally, Check Point recently issued an advisory revealing three malicious extensions hosted on the VS Code extensions marketplace. The extensions, namely prettiest java, Darcula Dark, and python-vscode, have a record of over 46,000 times and allowed threat actors to steal credentials, collect system information, and establish remote access on compromised machines.
The discovery of these malicious packages underscores the critical need for continuous vigilance in securing software supply chains and conducting thorough code reviews. Developers and organizations must proactively identify and mitigate potential threats to protect their systems and users’ sensitive information.
