Security News > 2023 > May > npm packages hide TurkoRAT malware in what looks like a NodeJS EXE

npm packages hide TurkoRAT malware in what looks like a NodeJS EXE
2023-05-20 13:06

Researchers have discovered multiple npm packages named after NodeJS libraries that even pack a Windows executable that resembles NodeJS but instead drops a sinister trojan.

These packages, given their stealthiness and a very low detection rate, had been present on npm for over two months prior to their detection by the researchers.

Researchers at software security firm ReversingLabs have analyzed three npm packages that lurked on the npmjs.com registry for over two months.

Although nodejs-encrypt-agent didn't initially sound alarms and even mirrored the functionality of legitimate packages like agent-base, there was more to it, the researchers discovered.

"As we observed above: there was little question that the PE discovered within the npm package was malicious," states Lucija Valenti? of ReversingLabs.

All malicious packages were removed from the npm registry shortly after their detection by ReversingLabs.


News URL

https://www.bleepingcomputer.com/news/security/npm-packages-hide-turkorat-malware-in-what-looks-like-a-nodejs-exe/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Nodejs 2 3 50 88 14 155