Skip to main content

Malware authors have again managed to sneak malicious libraries into npm

Reprensentational image depitcting a mine worker toiling to mine cryptocurrency
(Image credit: Yevhen Vitte / Shutterstock)

Automated malware detection systems have once again flagged several malicious packages lurking in the npm registry.

Masquerading as legitimate JavaScript libraries, the latest round of packages launch cryptominers on Windows, macOS, and Linux machines.

“Once again, this particular discovery is a further indication that developers are the new target for adversaries over the software they write,” writes SonaType, noting that all the packages were published by the same author.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

The SonaType researchers reported the malicious packages (named okhsa, klow, klown) to npm, only hours after their release, and they were unlisted by the same day, causing little to no damage.

Unclear intentions  

Attacks on public repositories such as JavaScript’s npm, and Python’s PyPI aren’t nothing new, but have increased in their intensity off late. In fact, a recent report concluded that the increase in supply chain attacks aimed at upstream open source public repositories has registered a whopping 650% year on year increase in 2021.

Npm isn’t immune to these infiltrations, and SonaType has previously shared that its automated systems have identified over 12000 suspicious and malicious npm packages since 2019.

What’s interesting about these newly flagged (and subsequently removed) packages is that they didn’t employ any of the usual ploys to trick developers into installing them. 

“It isn’t clear how the author of these packages aims to target developers. There are no obvious signs observed that indicate a case of typosquatting or dependency hijacking. “Klow(n)” does impersonate the legitimate UAParser.js library on the surface, making this attack seem like a weak brandjacking attempt,” observe the researchers.

SonaType says it is now expanding malware detection capabilities that caught the packages in npm, to other ecosystems as well, such as PyPI.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.