NPM packages found containing the TurkoRat infostealer

Experts discovered two malicious packages in the npm package repository, both were laced with an open-source info-stealer called TurkoRat.

ReversingLabs discovered two malicious packages, respectively named nodejs-encrypt-agent and nodejs-cookie-proxy-agent, in the npm package repository containing an open-source info-stealer called TurkoRat.

TurkoRat is an information-stealing malware that can obtain a broad range of data from the infected machine, including account login credentials, cryptocurrency wallets, and website cookies. The malware also supports anti-sandbox and analysis functionalities to avoid detection and prevent being analyzed.

“TurkoRat is just one of many open source malware families that are offered for “testing” purposes, but can readily be downloaded and modified for malicious use, as well.” reads the analysis published by ReversingLabs. “TurkoRat’s author clearly anticipates this, as he provides instructions on how to use malicious code, while stating that he is ‘not responsible for any damages this software may cause and that it was only made for personal education.'”

The two packages were collectively downloaded approximately 1,200 times since their upload into the repository two months before they were discovered.

The nodejs-encrypt-agent was discovered due to name and version discrepancies noticed by the researchers while scanning the repository.

The researchers noticed that the nodejs-encrypt-agent contained the malware inside. The package name used by the attackers on the npm page appeared as legitimate, but it differed from the name listed in the readme.md file (agent-base). The choice of the name agent-base in the readme.md was not accidental, because agent-base is the name of a legitimate npm package with tens of million downloads.

The attackers also disguised the malware as a dependency, axios-proxy, that was imported into every file found inside a second package named nodejs-cookie-proxy-agent.

The discovery of the two packages highlights the dangers of supply chain attacks that rely on open-source packages and social engineering tricks used to trick developers into downloading the malicious packages.

After the disclosure of the packages both were removed from npm repository and are no longer available for download.

“In the case of the two packages discovered and analyzed by ReversingLabs researchers, nodejs-encrypt-agent and nodejs-cookie-proxy-agent, the fallout from these attacks was limited. The nodejs-encrypt-agent was downloaded about 500 times during its two months of availability. The nodejs-cookie-proxy-agent was downloaded fewer than 700 times.” concludes the report that also provides Indicators of Compromise (IoCs). “Still, the malicious packages were almost certainly responsible for the malicious TurkoRat being run on an unknown number of developer machines. The longer term impact of that compromise is difficult to measure.” 

Organizations should pay attention to the packages that were used by their development teams paying attention to anomalies such as typos or strange version numbers.

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NPM)