Malware, Vulnerability Management

TurkoRAT malware lurking in NPM packages

BleepingComputer reports that three malicious NPM packages mimicking NodeJS libraries, which have accumulated more than 1,200 downloads during the past two months, have been distributing the TurkoRAT information-stealing malware. ReversingLabs researchers discovered that one of the packages dubbed "nodejs-encrypt-agent" had the "lib.exe" executable file similar to the legitimate NodeJS application but executes the TurkoRAT malware, a customizable stealer that could compromise login credentials and crypto wallets, as well as evade debuggers and sandbox environments. TurkoRAT was also deployed by the "nodejs-cookie-proxy agent" which had "axios-proxy" as a dependency that had the executable in an effort to better evade detection. "This time, attackers disguised it as a dependency, axios-proxy, that was imported into every file found inside nodejs-cookie-proxy-agent versions 1.1.0, 1.2.0, 1.2.1 and 1.2.2," said researchers, who added that despite the removal of the packages following their detection, their prolonged stay on NPM signifies the elevated risk of open source packages to the software supply chain.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.