Researchers have discovered two malicious packages, namely nodejs-encrypt-agent and nodejs-cookie-proxy-agent, in the npm package repository contain open source info stealer called TurkoRat.
TurkoRat can obtain a broad range of data from the infected machine, including account login credentials, crypto wallets, and website cookies. The malware also supports anti sandbox and analysis functionalities to avoid detection and prevent being analyzed.
TurkoRat is offered for testing purposes and can readily be downloaded and modified for malicious use, as well. Its author clearly anticipates this, as he provides instructions on how to use malicious code, while stating that he is ‘not responsible for any damages this software may cause and that it was only made for personal education.
The two packages were collectively downloaded thousand plus times. since they uploaded into the repository two months before they were discovered.
The nodejs-encrypt-agent was discovered due to name and version discrepancies noticed by the researchers while scanning the repository.
The package name used by the attackers on the npm page appeared as legitimate, but it differed from the name listed in the readme.md file (agent-base). The choice of the name agent-base in the readme.md was not accidental because agent-base is the name of a legitimate npm package with tens of million downloads.
The attackers also disguised the malware as a dependency, axios-proxy, that was imported into every file found inside a second package named nodejs-cookie-proxy-agent.
The discovery of the two packages highlights the dangers of supply chain attacks that rely on open-source packages and social engineering tricks used to trick developers into downloading the malicious packages.
After the disclosure of the packages, both were removed from the npm repository and are no longer available for download.
This research was documented by researchers from Reversinglabs
Indicators of Compromise