Open source ‘Package Analysis’ tool finds malicious npm and PyPI packages

The Open Source Security Foundation (OpenSSF), an initiative supported by the Linux Foundation, has released its first prototype version of the “Package Analysis” tool which aims to detect and counter malicious attacks on open source registries.

During a pilot run that lasted less than a month, the open-source project published on GitHub was able to identify over 200 malicious npm and PyPI packages.

The project aims to combat malware in open source registries

This week, OpenSSF released its first prototype version of the ‘Parcel analysis‘ project on GitHub.

The project repository contains tools that scan open source packages, specifically to find malicious npm and PyPI packages.

“The Package Analysis project seeks to understand the behavior and capabilities of packages available on open source repositories: what files do they access, what addresses do they connect to, and what commands do they execute?” explain Caleb Brown and David A. Wheeler, who are involved in OpenSSF Securing critical projects work group.

“The project also tracks changes in package behavior over time, to identify when previously safe software begins to act suspiciously.”

During its test, which lasted less than a month, Package Analysis was able to identify more than 200 PyPI and npm malicious componentsaccording to OpenSSF.

According to OpenSSF, the vast majority of these malicious packages are dependency confusion and typosquatting attacks.

Among all the malicious packages identified by Package Analysis, one of them is ‘colorsss’ which has been previously considered malicious:

mischievous npm typosquat colorsss
malicious npm typosquat ‘colorsss’ (Computer Beep)

The ‘colorsss’ package is a typosquat of the popular colors npm, some versions of which were sabotaged by its developer in January, as first reported by BleepingComputer.

In addition to containing legitimate color library files, the malicious “colorsss” contains obfuscated malware, according to an archived copy of the package obtained by BleepingComputer from open-source security firm Sonatype:

hidden malware inside colors
Obfuscated malware hidden in ‘colorsss’ typosquat (Computer Beep)

The obfuscated code in ‘colorsss’ contains Discord token thieves, a recurring theme among malicious npm packages.

“Although the project has been in development for some time, it has only recently become useful after extensive modifications based on early experiences,” OpenSSF says in a blog post released this week.

“There are many opportunities to participate in this project, and we welcome anyone interested in contributing to the future goals of…detecting differences in package behavior over time; automating the processing of package analysis results storing the packages themselves as processed for long-term analysis; and improving pipeline reliability.”

Full disclosure: I regularly attend OpenSSF group meetings as a member. The malicious typosquat, ‘colorsss’ mentioned in the article had already been analyzed by Sonatype’s security research team, of which I am a part.

Comments are closed.