Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Research
Bradley Meck Farias
March 30, 2023
Step aside, Kardashians – there's a new media obsession in town, and his name is John Wick! The npm public registry is drowning in a tsunami of spam and phishing, and it's all thanks to everyone's favorite gun-toting antihero.
Here at Socket, we've been keeping a close eye on the registry, and boy, have we got some juicy tidbits for you. Just yesterday, there were a whopping 4,600 npm packages all about John Wick. But that was just the beginning! By the end of our demos, the number had shot up to 4,750, and this morning, we counted almost 5,600! That's right, folks – a mind-blowing 0.02% of npm is now dedicated to Mr. Wick.
We've already spilled the beans on uploading media to npm, but this John Wick extravaganza is taking things to a whole new level. Lucky for you, we've been cooking up some fresh new ways to handle these pesky packages, and we've uncovered some real eyebrow-raisers along the way:
1. Crafty URL shorteners are the go-to disguise for these sneaky links. Some even require a little JavaScript magic to reveal their true nature.
2. Hold the phone – most of these URLs are actually labeled as "benign" by reputation databases! Short-lived domains and hand-curated databases are the culprits behind this shocking oversight.
3. Non-English speakers, rejoice! A large chunk of these slippery packages are in languages other than English. It's time to rethink our approach to the registry and embrace the global nature of open-source software.
4. The cherry on top? This whole hullabaloo is a brazen attempt at search engine optimization (SEO) grabbing! Even though real users aren't downloading these packages (download counts suggest only bots are doing the dirty work), they're plastered all over npm's homepage. Talk about a sneaky SEO boost!
Stay tuned, dear readers, because we've got some thrilling news coming your way soon about this utterly bizarre turn of events. In the meantime, feast your eyes on this John Wick-filled npm landscape, because it's reaching a fever pitch!
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.