700+ Malicious Open-Source Packages Discovered in npm and PyPI
Security researchers have discovered 700+ malicious open-source packages in npm and PyPI. npm and PyPI are among the most widely used software repositories globally by developers and organizations.
npm and PyPI act as the main source for getting different essential packages that are required in software development. They offer a convenient way for developers to save time and effort by utilizing pre-built code components (packages).
However, with popularity comes a downside, as these repositories have become an attractive target for cybercriminals seeking to exploit the vulnerabilities of these packages. Security researchers at Sonatype used their AI-enabled tool to detect 691 malicious packages in the npm registry and 49 in the PyPI registry.
In npm, mainly two packages draw the attention of researchers. One of them is ‘no-one-left-behind‘ by author Zalastax, and the other includes over 33,000 packages with the ‘nolb-‘ prefix by the author ‘infinitebrahamanuniverse.’
The ‘no-one-left-behind’ package depends on all of the publicly available npm packages, while those 33,000+ packages are self-described as components of the package ‘no-one-left-behind’.
Whereas in PyPI, the author ‘sexydev1337’ has uploaded packages that feature heavily obfuscated code using Hyperion. Security researchers have discovered that the code has the capability of executing scripts that can download and run harmful binaries from external servers and potentially even substitute executable files.
Additionally, they observed that numerous malicious actors had developed methods to avoid detection performed by virtual machines.
What measures are being taken to address this issue?
Fortunately, the npm security team has taken action by removing the package ‘no-one-left-behind’ from the repository. A placeholder replaces it with a security warning to prevent any future harm to users.
Meanwhile, some packages by ‘infinitebrahamanuniverse’ are still available and being closely monitored. This incident serves as a reminder for developers that open-source packages can be vulnerable to security threats.
We hope such malicious packages will not be found regularly on npm and PyPI in the future. While open-source software provides many advantages, it also poses certain risks. Therefore, it is essential to implement suitable measures to mitigate these risks and ensure the security of software applications.
The sources for this article include a story from It’s FOSS News.