HomeTechnologyNewsOpen source 'Package Analysis' tool finds malicious npm, PyPI packages

Open source ‘Package Analysis’ tool finds malicious npm, PyPI packages


The Open Source Security Foundation (OpenSSF), an initiative supported by the Linux Foundation, has released its first prototype version of the ‘Packet Analysis’ tool that aims to detect and counter malicious attacks on open source registries.

In a pilot run that lasted less than a month, the open source project released on GitHub was able to identify more than 200 malicious npm and PyPI packages.

The project aims to combat malware in open source registries

This week, OpenSSF released its initial prototype version of the ‘Package Analysis’ project on GitHub.

The project repository contains tools that analyze open source packages, in particular, for malicious npm and PyPI packages.

“The Package Analysis Project seeks to understand the behavior and capabilities of packages available in open source repositories: what files do they access, what addresses do they connect to, and what commands do they execute?” explain Caleb Brown and David A. Wheeler, who are involved in the OpenSSF Securing Critical Projects working group.

“The project also tracks changes in packet behavior over time, to identify when previously safe software begins to act suspiciously.”

In its test run that lasted less than a month, Package Analysis was able to identify more than 200 malicious PyPI and npm components, according to OpenSSF.

The vast majority of these malicious packages, OpenSSF says, are dependency confusion and typo attacks.

Among all the malicious packages identified by Package Analysis, one of them is ‘colorsss’ which was previously considered malicious:

malicious npm typosquat colorsss
malicious npm typosquat ‘colorsss’ (BleepingComputer)

The ‘colorsss’ package is a typosquat of the popular colors npm library, select versions of which had been sabotaged by its developer this January, as first reported by BleepingComputer.

In addition to containing some legitimate color library files, the ‘colorsss’ malicious packages obfuscated the malware, according to an archived copy of the package obtained by BleepingComputer from open source security firm Sonatype:

hidden malware inside colorsss
Obfuscated malware hidden within the ‘colorsss’ typosquat (BleepingComputer)

The obfuscated code in ‘colorsss’ contains Discord token stealers, a recurring theme among malicious npm packages.

“Although the project has been in development for a while, it has only recently become useful after extensive modifications based on initial experiences,” OpenSSF states in a blog post published this week.

“There are many opportunities to get involved in this project, and we welcome anyone interested in contributing to the future goals of… detecting differences in packet behavior over time; automating the processing of analysis results of packets; storing the packets themselves as they are processed for long-term analysis and improving pipeline reliability.

Full disclosure: I regularly attend OpenSSF group meetings as a member. The malicious typosquat, ‘colorsss’ mentioned in the article, had previously been analyzed by Sonatype’s security research team, which includes me.

Must Read

%d bloggers like this: