June 7, 2023

Researchers have discovered two malicious packages, namely nodejs-encrypt-agent and nodejs-cookie-proxy-agent, in the npm package repository contain open source info stealer called TurkoRat.

TurkoRat can obtain a broad range of data from the infected machine, including account login credentials, crypto wallets, and website cookies. The malware also supports anti sandbox and analysis functionalities to avoid detection and prevent being analyzed.

TurkoRat is offered for testing purposes and can readily be downloaded and modified for malicious use, as well. Its author clearly anticipates this, as he provides instructions on how to use malicious code, while stating that he is ‘not responsible for any damages this software may cause and that it was only made for personal education.

Advertisements

The two packages were collectively downloaded thousand plus times. since they uploaded into the repository two months before they were discovered.

The nodejs-encrypt-agent was discovered due to name and version discrepancies noticed by the researchers while scanning the repository.

The package name used by the attackers on the npm page appeared as legitimate, but it differed from the name listed in the readme.md file (agent-base). The choice of the name agent-base in the readme.md was not accidental because agent-base is the name of a legitimate npm package with tens of million downloads.

The attackers also disguised the malware as a dependency, axios-proxy, that was imported into every file found inside a second package named nodejs-cookie-proxy-agent.

The discovery of the two packages highlights the dangers of supply chain attacks that rely on open-source packages and social engineering tricks used to trick developers into downloading the malicious packages.

Advertisements

After the disclosure of the packages, both were removed from the npm repository and are no longer available for download.

This research was documented by researchers from Reversinglabs

Indicators of Compromise

  • 1a8a8fa87aff26fc2b269846f0f0d5be588bc6ee
  • 99537ef2edffcebe6ebe88cc5d3d9420d397e89c
  • 8093060aa8cea40a790ea0538c14bb11f3a02cd0
  • 395d592b52c2947dd6bff455725a3c4204f41bb4
  • d6e03a4023a3759cd28eb85c909bc17af4b78b7e
  • a324176ef05a03a244220072f9f1eb168e4ffa89
  • 97d9fff201c71ef13bb1b2a7dcd442c59a94e5e0
  • a4ac448a83865bbe7f62f5dad56143f1d5d0b526
  • 3576ccdd8fdde01a6d55c62f45aa8960a479ebee
  • 301088fc087f4ae61427a4515b3b822372a9d50f
  • aa02262de80a31b50efdf0a84c9915ca43696389
  • 82ce0491e2415fa8ab8d75faa26adc2278855507
  • 36f4b2e3d1f0e0e791e44178b41c9e53eb1898b5
  • 61122f4857ae5c358cee5a79232b6f1b6213025a
  • c29938c79fd7fb0dcd3b646df136333e0ae62fda
  • ebb5b9d0d5416c5eaa0a3b00e9115ac7ed5839d6
Tags:

Leave a Reply

You may have missed

Microsoft to comply with LinkedIn GDPR Violation

Microsoft to comply with LinkedIn GDPR Violation

June 7, 2023
Google Fixes Third Chrome Zeroday

Google Fixes Third Chrome Zeroday

June 6, 2023
Moveit Attributed to Lace Tempest

Moveit Attributed to Lace Tempest

June 6, 2023
Byte Code Bites PYPI

Byte Code Bites PYPI

June 5, 2023
Enzo Biochem Suffers a Data Breach

Enzo Biochem Suffers a Data Breach

June 5, 2023
BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
%d bloggers like this: