More than 1,000 malware packages found in NPM repository
Unfortunately, according to the WhiteSource team, the repository also allows attackers an opportunity to slip malware into applications without any warning to the developer.
In some cases, the infection attempts were a bit more targeted. The researchers found one particular piece of malware impersonating a library used in-house by food delivery service GrubHub, presumably in an attempt to get the malware onto the work system of one of the company's developers.
Either way, the apparent intent of the attackers was to infect not only the application and its developers, but people who used the application. By getting into a popular application at the developer level, the attackers would be able to potentially infect thousands of enterprises that rely on it, similar to what happened in 2020 with the SolarWinds supply chain attack.
As for the malware itself, the WhiteSource crew found the bad libraries were performing fairly common attacks, such as searching for login credentials or collecting cryptocurrency wallet keys. Other aims include the installation of botnet clients and stealing personal data from victims. According to the report, nearly 14% of the malicious packages discovered were designed to steal sensitive data such as credentials.
Not every one of the 1,300 libraries found was outright malware, however. The researchers noted that some of the samples they collected appeared to be experimental libraries that were being used by security researchers to test applications.
"Without question," WhiteSource said, "the best defense against malicious activity in NPM packages is a knowledgeable developer community."
In related news, NPM, Inc., a subsidiary of GitHub that maintains the open source software, announced on Tuesday that it is implementing mandatory two-factor authentication for the maintainers of top 100 NPM packages.