This week in malware, Sonatype's automated malware detection systems had some rather interesting findings.
The development follows last month's discovery of 400+ packages targeting Microsoft Azure, Airbnb and Uber developers, as well as over 500 mysterious packages named after NodeJS terms.
VMware dependency confusion attempt detected by Sonatype
Sonatype discovered a dubious package 'vapi-client-bindings' published to the PyPI open source repository. The package contained proof-of-concept (PoC) dependency confusion code that we have now repeatedly seen in tens of thousands of open source packages.
However, further analysis uncovered that the package is in fact used by VMware's VSphere automation SDK as a dependency, prompting Sonatype to notify the PyPI registry to take down the package.
VMware has confirmed no impact to its products or users of the VSphere SDK dependency thus far.
Both the statements from VMware and the ethical hacker Kotko who published the package are available in our blog post.
Obfuscated "secrets," not malware
A lesson in the importance of secrets management and reminder to devs fixing critical security vulnerabilities — your GitHub commits can often reveal too much.
Sonatype's automated malware detection bots flagged an npm package, 'infoooze' for being suspicious.
The reason you ask? A mysterious "src/secret.js" file that's heavily obfuscated lurking in the package. The file continues to exist in the latest version of 'infoooze' on both GitHub and npm:
Although JS minification and obfuscation can be used by legitimate packages, time and time again we have seen obfuscation like the one shown above leveraged especially by malicious actors to hide malware in their npm packages.
Turns out, the 'infoooze' package was storing its VirusTotal API "secret" keys within the npm package itself using simple, reversible obfuscation.
This attempt to achieve security by obscurity falls short as anyone who can decode the scrambled JavaScript can easily retrieve API keys and now use it to make VirusTotal lookups on behalf of the project developers.
Sonatype notified the developer of 'infoooze' well in advance of publishing and offered to assist with secrets management. We thank the developer, Prateek Singh aka 7ORP3DO for allowing us to include his package in this educational blog piece.
Some other examples featured in the same blog post include Wormhole's $326 million crypto hack of 2022 that may have resulted from the project's open GitHub pull requests, as well as, another example of an IP lookup library leaking secrets on its GitHub.
Written by Ax Sharma
Ax is a Staff Security Researcher & Malware Analyst at Sonatype with a penchant for open source software. His works and expert analyses have frequently been featured by leading media outlets including the BBC. Ax's expertise lies in security vulnerability research, reverse engineering, and cybercrime investigations. He has a passion for educating a wide range of audiences through writing and vlogs.
Explore All Posts by Ax Sharma