Since 2019, Sonatype’s AI tooling has found roughly 107,000 items that have been labelled as harmful, suspicious, or proof-of-concept.
Another sizable collection of malicious packages, which developers may unknowingly download from the npm and PyPI open source registries, have been uncovered by security experts. Sonatype reported finding 691 malicious npm packages and 49 malicious PyPI components in January, both of which contained crypto-miners, remote access Trojans (RATs), and other harmful software.
The same harmful software is included in several packages. Using Linux systems to mine cryptocurrencies is a Trojan called go file. According to Sonatype, sixteen of these were linked to the same actor, trendava, who has since been taken off the npm registry.
PyPI malware “minimums,” which is intended to verify the presence of a virtual machine (VM) before execution, was discovered separately. The goal is to thwart attempts to gather more information about the threat by security researchers, who frequently run suspected malware in virtual machines (VMs).
The security provider also found brand-new Python malware with traits of both a RAT and an information thief. Finally, it discovered “infinitebrahamanuniverse,” a developer with a sketchy appearance, who uploaded over 33,000 packages that he claimed were parts of “no-one-left-behind,” or “nolb.” After the npm security team discovered that it depended on every other known publicly available npm package, the latter was removed last week.
“If you check any npm package right now you’ll probably find under the dependents tab one of the nolb packages uploaded by ‘infinitebrahamanuniverse’,” states Sonatype.