This Week in Malware, we continue to see an uptick in outright malicious and dependency confusion packages employing novel tactics. A list of some of the packages caught by Sonatype’s automated malware detection systems is given below and more analysis is expected to follow in subsequent blog posts next week.
npm package steals Amazon EC2, Windows SAM credentials
‘CyberARK Core PAS (Privileged Access Security) is a prominent access management solution and ‘@core-pas/cyb-core’ in particular appears to target CyberARK developers, as the name suggests.
Except, these dependency confusion packages, assigned sonatype-2022-3360, attempt to exfiltrate sensitive files such as:
A snippet of code contained within ‘@core-pas/cyb-core’ shown below demonstrates how the package goes well beyond the basic proof-of-concept stage when it peeks into these sensitive files.
The data collected is then uploaded to the domain shown below via a POST request:
The list of some more npm dependency confusion packages caught this week is shown below, but this is by no means exhaustive, and dozens of packages are still awaiting analysis by our research team:
These packages were reported to npm by us prior to publishing.
Malicious Python package with encrypted payload
Malicious Python (PyPI) packages caught by us this week include:
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/this-week-in-malware-npm-malware-exfiltrates-windows-sam-amazon-ec2-credentials