Researchers at the firm ReversingLabs* reported on Thursday that they discovered two open source packages on the npm open source registry that contained malicious code. It is just the latest instance of malicious packages being discovered on a popular open source platform.
The packages have since been removed. However, the researchers warn that they lurked, undetected, on npm for months. Each had been downloaded hundreds of times before they were removed, raising questions about what other threats may lurk on popular open source platforms like npm, PyPI and GitHub.
In a blog post, ReversingLabs researcher Lucija Valentić said she discovered the open source packages while scanning npm, the popular open source package manager for node.js, the Javascript runtime environment. The first, nodejs-encrypt-agent, caught Valentić’s attention due to a number of characteristics that are typical of packages that are “typosquatting” – or imitating other, legitimate open source packages. (Read about my ongoing work with ReversingLabs here.)
npm package names, numbers signal trouble
For example, the name of the npm page hosting the package didn’t line up with the name listed in the readme.md file, Valentić noted. Beyond that, the name in the readme.md file, agent-base, was the same as a popular npm package that is used to create the underlying socket that an application’s HTTP client requests will use.The nodejs-encrypt-agent also used suspicious version numbering. Though the earliest instance of the package dated to just two months prior, that package had a relatively high version number, 6.0.2 for what amounted
Read more