Tuesday, October 15, 2024
HomeCyber Security NewsNascent Malware Attacking npm, PyPI, and RubyGems Developers

Nascent Malware Attacking npm, PyPI, and RubyGems Developers

Published on

Malware protection

Phylum analyzes source code and metadata for all registry-pushed packages. This year, in millions of packages they are aiming to examine nearly a billion files, as this will enable them to get unique insights into package behaviors across ecosystems.

That’s why it has been actively tracking various recent malware campaigns, from fake npm package updates to GCC binary impostors and complex data exfiltration setups.

Besides this, the cybersecurity analysts at Phylum recently reported about Nascent malware attacking developers of the following platforms and programs:-

- Advertisement - SIEM as a Service

Nascent Malware on Registry packages

Phylum’s automated platform alerted researchers about the “kwxiaodian” package on September 3, 2023, and in its setup.py the following contents were revealed:-

Contents of setup.py (Source – Phylum)

Simultaneously, they received alerts about harmful npm packages executing specific actions in the package.json preinstall hook, and then the obfuscated index.js file was executed.

Here below, we have mentioned all the things that this package does:-

  • The network interface info is gathered initially.
  • Basic information like OS details, free memory available, etc., were also collected.
  • If the platform is not macOS, then the execution is automatically terminated.
  • Lastly, it encrypts and sends data to the attacker’s server.

The Rubygems package mirrors PyPI and npm patterns, triggering automatic execution via the “Rakefile” to collect and send host information to a remote server.

Ruby platform data collection (Source – Phylum)

Ecosystems Commonalities 

However, apart from all these things, the campaigns targeting npm, PyPI, and RubyGems are identical, as revealed by the researchers upon close review analysis.

Here below, we have mentioned all the commonalities:-

  • On 81.70.191.194, all the packages communicate with a service.
  • Collects and sends system info to this service.
  • On macOS systems, the packages execute only.
  • Similar versions across ecosystems were published.

Timeline

Full package timeline (Source – Phylum)

Malware is widespread in open-source registries, and despite security awareness, developers often pull and execute packages from unknown sources. Making manual audits impractical due to the increasing number of dependencies.

In this scenario, using automated solutions to detect and block packages violating defined policies is a wise approach to managing malware and other risks.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

pac4j Java Framework Vulnerable to RCE Attacks

A critical security vulnerability has been discovered in the popular Java framework pac4j. The...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...