Researchers from ReversingLabs uncovered malicious npm packages that masquerade as legitimate dependencies, embedding a TurkoRat-based PE and enabling data theft. The attacks leverage typosquatting and deceptive naming to spread, and when the pieces are analyzed in combination, they reveal a clear supply-chain abuse with credential and wallet theft capabilities.
#nodejs_encrypt_agent #nodejs_cookie_proxy_agent #TurkoRat #axios_proxy #npm
#nodejs_encrypt_agent #nodejs_cookie_proxy_agent #TurkoRat #axios_proxy #npm
Keypoints
- Malicious npm packages nodejs-encrypt-agent and nodejs-cookie-proxy-agent host TurkoRat, a customizable stealer, inside a PE file.
- Red flags include discrepancies between package names and readme (agent-base) plus unusually high initial version numbers (e.g., 6.0.2) to lure hurried developers.
- The PE file executes commands and can write to and delete from Windows system directories, and can tamper with DNS settings.
- TurkoRat steals credentials (including web login data and crypto wallets) and can defeat sandbox/debuggers to evade analysis.
- The packaging uses pkg to bundle files into a single executable and stores them in a virtual file system, facilitating distribution inside npm packages.
- Other variants include nodejs-cookie-proxy-agent embedding axios-proxy as a malicious dependency; npm later removed the malicious packages, but downloads had already occurred.
MITRE Techniques
- [T1195] Software Supply Chain – The malicious npm packages are used to deliver TurkoRat through typosquatting and dependency substitution. “typosquatting and other supply chain attacks” …
- [T1027] Obfuscated/Compressed Files and Information – The malicious code is bundled inside a single packaged executable (PE) within the npm package. “bundled all the necessary files into a single package executable.”
- [T1036] Masquerading – Name and version discrepancies and linking to legitimate package pages to appear authentic, e.g., readme.md showing agent-base and a GitHub link. “the malicious package could look more authentic.”
- [T1497] Virtualization/Sandbox Evasion – The malware includes capabilities to fool or defeat sandbox environments and debuggers. “fool or defeat sandbox environments and debuggers…”
- [T1059] Command and Scripting Interpreter – The PE executes malicious commands hidden in the index.js file. “…malicious commands hidden in the first few lines of the index.js file.”
- [T1070.004] File Deletion – The PE can write to and delete from Windows system directories. “the ability to write to and delete from Windows system directories.”
- [T1071.004] DNS – The malware tampering with DNS settings or using DNS-related techniques for C2. “ability to tamper with DNS (domain name system) settings” and related references.
Indicators of Compromise
- [Hash] Malicious PE and related package hashes – ef3ea4dc2d3ba466e40b8cc5e2b20cb026cf7936, 1a8a8fa87aff26fc2b269846f0f0d5be588bc6ee, 99537ef2edffcebe6ebe88cc5d3d9420d397e89c
- [Hash] Additional package hashes for nodejs-encrypt-agent and nodejs-cookie-proxy-agent variants – 8093060aa8cea40a790ea0538c14bb11f3a02cd0, 395d592b52c2947dd6bff455725a3c4204f41bb4
- [Hash] More related hashes for axios-proxy and other dependencies – d6e03a4023a3759cd28eb85c909bc17af4b78b7e, 3576ccdd8fdde01a6d55c62f45aa8960a479ebee
- [File name] nodejs-encrypt-agent, nodejs-cookie-proxy-agent, axios-proxy, node-cookie-proxy-agent – malicious npm packages and their variants documented in tables and figures
Read more: https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic