TurkoRat Malware in NMP Package

The TurkoRat malware has made its way into commonly used code packages, posing a significant threat to Node.js developers. ReversingLabs, a threat-researching cybersecurity company, recently uncovered this new danger. The malware, known as TurkoRate, is designed to steal sensitive information like login credentials, cookies, and data from cryptocurrency wallets.

In their investigation, ReversingLabs discovered that a package named “nodejs-encrypt-agent” were utilized to inject the malicious TurkoRate malware. The attackers cleverly disguised the package to mimic the popular “agent-base” package, thereby deceiving developers into unknowingly downloading and installing the rogue software. This attack targeted millions of developers, making it a matter of great concern.

The TurkoRat package, which contained the malware, leveraged the “pkg” package provided by npm (Node Package Manager) to bind multiple files into a single executable. These files were stored in a virtual file storage accessible during runtime. Notably, the package closely resembled the legitimate “agent-base,” but with the addition of a malicious portable executable. When the package was executed, hidden commands within the index.js file triggered the execution of the malicious code.

Unfortunately, the malevolent package had already been downloaded approximately 1200 times before it was eventually removed from the npm library. Additionally, two other packages, namely “nodejs-cookie-proxy-agent” and “axios-proxy,” were also found to be affected by this malware and were promptly taken down.

This incident highlights the alarming nature of supply chain attacks. Malicious actors successfully injected malware into publicly available packages and lured unsuspecting developers into downloading them. It is crucial to note that such attacks have been on the rise lately. Therefore, it is strongly recommended that developers thoroughly analyze not only open-source code but also third-party and commercial code before downloading and implementing them in their projects. Vigilance and caution are paramount in ensuring the security of your systems and protecting sensitive information from falling into the wrong hands.

Source:

The Hacker News
Dark Reading
ReversingLabs Original Report

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2024 Dmitrii "Zamrax" Strizhkov | Signify Dark by WEN Themes