The NPM JavaScript registry has experienced a jump in malware, including packages related to data theft, crypto mining, botnets, and remote code execution, according to security company WhiteSource. Credit: Thinkstock The popular NPM JavaScript package manager and registry has been hit with an influx of malicious packages, the most harmful of which are related to data theft, crypto mining, botnets, and remote code execution, according to research from security company WhiteSource.WhiteSource’s automated malware detection platform, WhiteSource Diffend, detected a total of 1,300 malicious packages on NPM, within a period of six months ended December 2021. All the malicious packages identified by WhiteSource were notified to NPM and were subsequently removed from the package registry. NPM is a widely used package manager and registry with more than 1.8 million active packages, each package having a little more than 12 versions on average. A package is a prewritten set of useful functions that can be called into a programming environment without having to write each and every line of code from scratch. A package manager is an enabler created with open-source code that helps install or update these packages. NPM is a default package manager for the widely used JavaScript runtime environment Node.js. NPM has become a constant target by bad actors, according WhiteSource. A report recently published by WhiteSource says that 57% of attacks happen during three days of the week — Friday, Saturday and Sunday. Most of these (81.7%) are “reconnaissance” attacks, consisting of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Another 14% of the attacks are designed to steal information like credentials and other sensitive details. NPM attacks and their unique techniques Some of the newer malware detected by WhiteSource included: Mos-sass-loader and css-resources-loader: packages intended to emulate the popular NPM packages style-resource-loader and saas-loader and designed insert malicious source code to download third party info-stealers and also gain connections for remote code execution (RCE);Circle-admin-web-app and browser-warning-ui: packages with malicious code designed to download OS-specific external packages with malware to initiate RCE;Noopenpaint: A troll package with no malicious code that launches a few applications out of turn and displays “you have been hacked;”@grubhubprod_cookbook: the package exploits dependency confusion to specifically target Grubhub, to intercept data and send it to a remote location;Azure-web-pubsub-express: a security research package with no harmful intent, to collect system data and network interface details and send them to interactsh.com;Reac1 and reect1: a mock-drill package posing as a research package and attempting to direct http requests from the host system to webhook.com;Mrg-message-broker: similar to @grubhubprod_cookbook, uses dependency confusion to steal environment data;@sixt-web/api-client-sixt-v2-apps: another dependency confusion package aggregating system data upon installation;@maui-mf/app-auth: a potential SRRF (server side request forgery) attack package running discovery of AWS metadata service instance roles and sending them to an external fake domain.The majority of these attacks fall under four harmful threat categories including cryptomining, data stealing, botnets, and security research. The security research packages are those that pose as security research programs, but in reality, contain remote code execution (RCE) intended to gain full access into a host.Other less harmful packages included script kiddies and SEO hacks. “Script kiddies are packages that do not cause harm or collect data but print disturbing messages like ‘You have been hacked’,” says Maciej Mansfeld, senior project manager at WhiteSource. “A few packages also try to exploit the fact that NPM displays the README of packages on its online registry to build up SEO for their online presence. We’ve seen online casinos and erotic websites trying to exploit that.” Dependency confusion poses major threat The report recommends caution especially regarding attacks that look to exploit dependency confusion in NPM, and the fact that most of the bad code need not even be downloaded manually for the attack to work. “A dependency confusion attack is a type of supply chain attack which occurs when a package manager is being manipulated into supplying a malicious code instead of the intended code,” says Mansfeld. “The most famous method to exploit this vulnerability is via a package managers’ prioritization mechanism to supply the latest versions.” In such cases, when attackers successfully find an internal dependency package name, they can then create a public package with the same name with a higher version number. The malicious public package will then be preferred by the package manager and automatically installed whenever an update is called. How to stay safe on NPM The report recommends adopting a zero trust policy on the system, updating only when confident about the content of a package; being aware of the environment and tracking changes regularly; running continuous integration (CI) in isolated stage; and keeping close tabs on the SDLC (software development life cycle). Watching out for packages that download remote components upon installation, and keeping track of all OSS (operation support system) components being used, are also good sanitary routines for NPM end users, according to Mansfeld. Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe