Sonatype, a leading provider of automated open source and malware detection systems, has recently uncovered hundreds of malicious packages, with 10 of them analyzed in detail. These findings shed light on the diverse range of open source threats plaguing the cybersecurity landscape. One striking discovery involves packages named after the well-known npm library "colors," which ironically turned out to be Python packages published on the PyPI registry. These packages, such as "broke-rcl" and "brokescolors," were found to target the Windows operating system, deploying trojans upon installation. Intriguingly, all of these packages were associated with a PyPI account named 'broke,' which has since been removed following Sonatype's private disclosure to PyPI.
The malicious packages named after the npm "colors" library shared identical versioning and contained payloads designed to download and execute trojans hosted on Discord's servers. Additionally, another package named "trexcolors" was discovered to download and run a trojan called "trex.exe" upon installation. This particular trojan, identified as an info-stealer, exhibits code obfuscation techniques and anti-reverse engineering measures to impede analysis.
Sonatype's researchers also encountered a cross-platform malware named "libiobe" within the PyPI ecosystem. This package, seemingly named after the legitimate library "iobes," targeted users of both Windows and Unix operating systems. On Windows systems, it dropped a trojan executable named "V0d220823bb829d3fcc62d10adf.exe" within the source code as a base64-string, aiming to collect sensitive information. For Linux/Unix systems, a minified Python code was executed, which profiled the system and sent the gathered data to a Telegram endpoint.
Furthermore, Sonatype identified other suspicious packages, such as FNBOT2, TAGADAY, and ZUPPA, which employed obfuscated code packed into variables named magic, love, god, destiny, joy, and trust. This pattern of obfuscation has been observed previously in packages associated with cryptominers. Although the specific targets or intentions behind these packages remain unclear, they underscore the persistent threats facing open source software registries like PyPI and npm.
The emergence of these malicious packages highlights the need for robust security measures within the open source ecosystem. Developers and users must remain vigilant and employ proper vetting and verification processes to mitigate the risk of such threats. Sonatype's detection systems serve as a crucial defense against these malicious packages, enabling the identification and removal of harmful software, and ultimately safeguarding the integrity of open source ecosystems.