npm packages found hosting TurkoRat malware

A research outfit called Reversing Labs has found TurkoRat lurking on the npm package repository.

The two malicious packages were typo-squatting on legitimate packages, Reversing Labs said in a blog post, and had been available on npm for around two months before they were discovered.

Typo-squat attacks try to trick developers looking for popular packages like React into downloading a package with a look-alike name (R2act, for example).

The legitimate packages are nodejs-encrypt-agent and nodejs-cookie-proxy-agent.

Nodejs-encrypt-agent is part of Agent-Base version 6.0.2, which the company said has been downloaded 20 million times.

Node-cookie-proxy-agent “is not as popular as agent-base, but it was continuously downloaded throughout last year”, the researchers said.

“The malicious actors were clearly hoping one of those millions of developers would be fooled into downloading the malicious package instead of the benign one,"Reversing Labs noted.

Attack behaviours observed by the researchers included writing to and deleting from Windows directories, executing commands, and tampering with DNS settings.

TurkoRat is an open-source, customisable malware offered on GitHub.

Reversing Labs said a malicious actor “can modify a few settings in the build to alter the configuration and capabilities of the finished portable executable file.

"They would then need to use build.bat to rebuild it and package it into a malicious executable," it added.

The Reversing Labs researchers found the npm package bundles all the necessary files into a single executable.

They said “the malicious packages were almost certainly responsible for the malicious TurkoRat being run on an unknown number of developer machines.”

Last year, cryptominers were found in 186 typo-squatting packages.