Malicious package found on NPM and PYPi Registries

Researchers have discovered malicious packages on the npm and PyPi open-source registries, which could cause issues if unwittingly downloaded by developers.

In January, Researchers found 691 malicious npm packages and 49 malicious PyPi components containing crypto-miners, remote access Trojans (RATs).

Multiple packages that contain the same malicious package.go file – a Trojan designed to mine cryptocurrency from Linux systems. Sixteen of these were traced to the same threat actor trendava, and same has been removed from the npm registry,

Advertisements

Separate finds include PyPI malware minimums, which is designed to check for the presence of a virtual machine (VM) before executing. The idea is to disrupt attempts by security researchers, who often run suspected malware in VMs, to find out more about the threat.

The malware will check the following

Initially it will check if the current operating system is Windows.
It then checks if the environment is not running in a virtual machine or sandbox environment.
It does this by validating the presence of specific files associated with VMware and VirtualBox.
It checks for the presence of certain processes that are commonly used by security researchers.
If the environment is a virtual machine, the code immediately returns without executing any further.

Researchers also discovered new Python malware combining the capabilities of a RAT and information stealer.

It also been discovered a suspicious-looking developer known as “infinitebrahamanuniverse” who uploaded over 33,000 packages self-described as sub-packages of “no-one-left-behind,” or “nolb.” The latter was removed last week, after the npm security team found that it depended on every other known publicly available npm package. Developers need to validate if the package was uploaded, and any dependency was created.