Two malicious packages, nodejs-encrypt-agent and nodejs-cookie-proxy-agent, were discovered in the npm package repository containing the TurkoRat open-source info-stealer.
TurkoRat is a sophisticated information-stealing malware that targets various sensitive data, employs anti-detection measures, and can evade analysis. The packages were downloaded approximately 1,200 times before being detected, with the nodejs-encrypt-agent being disguised as a legitimate package named agent-base in the npm page but having a different name in the readme.md file.
The discovery of these packages highlights the risks of supply chain attacks and social engineering tactics used to deceive developers into unwittingly downloading malicious packages.
The attackers behind TurkoRat provide instructions for the use of the malware while claiming no responsibility for any resulting damages. After the disclosure, both packages were promptly removed from the npm repository.
While the impact of these specific packages was limited, with nodejs-encrypt-agent downloaded about 500 times and nodejs-cookie-proxy-agent downloaded fewer than 700 times, they likely led to the execution of TurkoRat on numerous developer machines. Assessing the long-term consequences of these compromises remains challenging.
Organizations are advised to scrutinize the packages used by their development teams, paying attention to irregularities such as typos or unusual version numbers, in order to mitigate supply chain risks and protect against similar attacks in the future.
