Automated malware detection systems have once again flagged several malicious packages lurking in the npm registry.
“Once again, this particular discovery is a further indication that developers are the new target for adversaries over the software they write,” writes SonaType, noting that all the packages were published by the same author.
The SonaType researchers reported the malicious packages (named okhsa, klow, klown) to npm, only hours after their release, and they were unlisted by the same day, causing little to no damage.
Npm isn’t immune to these infiltrations, and SonaType has previously shared that its automated systems have identified over 12000 suspicious and malicious npm packages since 2019.
What’s interesting about these newly flagged (and subsequently removed) packages is that they didn’t employ any of the usual ploys to trick developers into installing them.
“It isn’t clear how the author of these packages aims to target developers. There are no obvious signs observed that indicate a case of typosquatting or dependency hijacking. “Klow(n)” does impersonate the legitimate UAParser.js library on the surface, making this attack seem like a weak brandjacking attempt,” observe the researchers.
SonaType says it is now expanding malware detection capabilities that caught the packages in npm, to other ecosystems as well, such as PyPI.