NPM Packages for Node.js Hiding Dangerous TurkoRat Malware

The security landscape continues to evolve, with threat actors constantly devising new methods to exploit vulnerabilities. In recent news, the npm package repository has fallen victim to two malicious packages that harbored an open source information stealer malware known as TurkoRat. These packages, named nodejs-encrypt-agent and nodejs-cookie-proxy-agent, were downloaded approximately 1,200 times before being identified and removed after being available for over two months.


Unmasking TurkoRat: An Information Stealer


According to ReversingLabs, a renowned security research organization, TurkoRat is a potent information stealer capable of extracting sensitive data such as login credentials, website cookies, and even information from cryptocurrency wallets. While nodejs-encrypt-agent was found to contain the malware, nodejs-cookie-proxy-agent disguised the trojan under the seemingly innocent dependency name “axios-proxy.”

To add to the deception, nodejs-encrypt-agent cleverly disguised itself as a legitimate npm module called agent-base, which has been downloaded an astonishing 25 million times to date. The clever tactics employed by the malware creators highlight the need for robust security measures within the open source software supply chain.

The Rogue Packages: Identification and Impact

The following is a list of the malicious packages and their associated versions that developers should be aware of:


  1. nodejs-encrypt-agent (versions 6.0.2, 6.0.3, 6.0.4, and 6.0.5)
  2. nodejs-cookie-proxy-agent (versions 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, and 1.2.4)
  3. axios-proxy (versions 1.7.3, 1.7.4, 1.7.7, 1.7.9, 1.8.9, and 1.9.9)

These packages were downloaded and utilized by unsuspecting developers, putting their projects and users at risk. The discovery of such malicious packages raises concerns about the reliability and security of open source software dependencies.


Insights from ReversingLabs: A Call for Vigilance

Lucija Valentić, a threat researcher at ReversingLabs, warns that TurkoRat is merely one of the many open source malware families available for “testing” purposes, which can easily be modified and weaponized for malicious intent. The recent incident underscores the persistent threat of supply chain attacks orchestrated through open source packages, enticing developers into unwittingly incorporating potentially untrusted code into their projects.

Valentić emphasizes the need for development organizations to exercise scrutiny when evaluating the features and behaviors of open source, third-party, and commercial code. Vigilance is key to tracking dependencies and detecting potential malicious payloads that could compromise software security.


The Growing Concern: Attacker Interest in Open Source


The discovery of malicious npm packages aligns with a wider trend of increasing attacker interest in open source software supply chains. Threat actors recognize the potential vulnerabilities present within these ecosystems and exploit them for their nefarious purposes. This unsettling trend not only highlights the importance of fortifying security measures but also underscores the growing sophistication of threat actors in the digital landscape.


New Research: Impersonation Techniques and Countermeasures


In a recent study conducted by researchers from Checkmarx, another concerning discovery was made. Threat actors were found to impersonate authentic npm packages by manipulating package names, using lowercase letters to mimic uppercase letters present in the original names. For instance, “memoryStorageDriver” could be dised as “mem


Share this article:

Leave a Reply

Your email address will not be published. Required fields are marked *

most popular