Security News > 2023 > May > npm packages hide TurkoRAT malware in what looks like a NodeJS EXE
Researchers have discovered multiple npm packages named after NodeJS libraries that even pack a Windows executable that resembles NodeJS but instead drops a sinister trojan.
These packages, given their stealthiness and a very low detection rate, had been present on npm for over two months prior to their detection by the researchers.
Researchers at software security firm ReversingLabs have analyzed three npm packages that lurked on the npmjs.com registry for over two months.
Although nodejs-encrypt-agent didn't initially sound alarms and even mirrored the functionality of legitimate packages like agent-base, there was more to it, the researchers discovered.
"As we observed above: there was little question that the PE discovered within the npm package was malicious," states Lucija Valenti? of ReversingLabs.
All malicious packages were removed from the npm registry shortly after their detection by ReversingLabs.
News URL
Related news
- BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers (source)
- Malware Campaign Uses Ethereum Smart Contracts to Control npm Typosquat Packages (source)
- Malicious NPM Packages Target Roblox Users with Data-Stealing Malware (source)
- Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack (source)