December 1, 2023

Researchers have discovered two malicious packages, namely nodejs-encrypt-agent and nodejs-cookie-proxy-agent, in the npm package repository contain open source info stealer called TurkoRat.

TurkoRat can obtain a broad range of data from the infected machine, including account login credentials, crypto wallets, and website cookies. The malware also supports anti sandbox and analysis functionalities to avoid detection and prevent being analyzed.

TurkoRat is offered for testing purposes and can readily be downloaded and modified for malicious use, as well. Its author clearly anticipates this, as he provides instructions on how to use malicious code, while stating that he is ‘not responsible for any damages this software may cause and that it was only made for personal education.

Advertisements

The two packages were collectively downloaded thousand plus times. since they uploaded into the repository two months before they were discovered.

The nodejs-encrypt-agent was discovered due to name and version discrepancies noticed by the researchers while scanning the repository.

The package name used by the attackers on the npm page appeared as legitimate, but it differed from the name listed in the readme.md file (agent-base). The choice of the name agent-base in the readme.md was not accidental because agent-base is the name of a legitimate npm package with tens of million downloads.

The attackers also disguised the malware as a dependency, axios-proxy, that was imported into every file found inside a second package named nodejs-cookie-proxy-agent.

The discovery of the two packages highlights the dangers of supply chain attacks that rely on open-source packages and social engineering tricks used to trick developers into downloading the malicious packages.

Advertisements

After the disclosure of the packages, both were removed from the npm repository and are no longer available for download.

This research was documented by researchers from Reversinglabs

Indicators of Compromise

  • 1a8a8fa87aff26fc2b269846f0f0d5be588bc6ee
  • 99537ef2edffcebe6ebe88cc5d3d9420d397e89c
  • 8093060aa8cea40a790ea0538c14bb11f3a02cd0
  • 395d592b52c2947dd6bff455725a3c4204f41bb4
  • d6e03a4023a3759cd28eb85c909bc17af4b78b7e
  • a324176ef05a03a244220072f9f1eb168e4ffa89
  • 97d9fff201c71ef13bb1b2a7dcd442c59a94e5e0
  • a4ac448a83865bbe7f62f5dad56143f1d5d0b526
  • 3576ccdd8fdde01a6d55c62f45aa8960a479ebee
  • 301088fc087f4ae61427a4515b3b822372a9d50f
  • aa02262de80a31b50efdf0a84c9915ca43696389
  • 82ce0491e2415fa8ab8d75faa26adc2278855507
  • 36f4b2e3d1f0e0e791e44178b41c9e53eb1898b5
  • 61122f4857ae5c358cee5a79232b6f1b6213025a
  • c29938c79fd7fb0dcd3b646df136333e0ae62fda
  • ebb5b9d0d5416c5eaa0a3b00e9115ac7ed5839d6
Tags:

Leave a Reply

You may have missed

TheCyberThrone Security Week In Review – November 25, 2023

November 30, 2023

BlueVoyant Acquires Conquest Cyber

November 30, 2023

Google Fixes Sixth Chrome ZeroDay of 2023

November 29, 2023

Ardent Health Services affected by a cyber incident

November 29, 2023

GE and DARPA – Claimed Hack raises concerns

November 28, 2023

POC released for Splunk Enterprise Vulnerability- CVE-2023-46214

November 28, 2023
%d bloggers like this: