Not one, not two, but three open-source software registries have come under attack at once in an organized cybercrime operation aimed at macOS users. A criminal group has uploaded harmful packages to PyPI, NPM, and RubyGems repositories to target respective developers.

What happened?

• The malware campaign was first noticed on September 3 when Phylum’s automated platform flagged the “kwxiaodian” package. Further investigation revealed that its setup.py contained suspicious contents. 
• Concurrently, security experts received alerts about harmful npm packages executing specific actions in the package.json preinstall hook, followed by the execution of obfuscated index.js files that disclosed activity details of malware.
• Actions performed by this malware package included gathering network interface information, collecting basic system information (OS details and available free memory), automatically terminating execution if the platform is not macOS, and encrypting and sending data to the attacker’s server.
• Separately, the RubyGems package mirrored the patterns seen in PyPI and npm packages, triggering automatic execution via “Rakefile” to collect and transmit host information to a remote server.

Identical behavior of packages

Despite targeting different platforms and programs, the malware campaigns against npm, PyPI, and RubyGems share striking commonalities.

• All packages communicate with a service hosted at IP address 81.70.191.194.
• They collect and transmit system information to this service.
• On macOS systems, the packages exclusively execute.
• Similar versions of the malware were published across these ecosystems.

The findings point to a single threat actor behind the campaign, however, the ultimate goal of the attackers remained unclear.

Other similar campaigns reported recently

• Phylum uncovered an ongoing campaign, suspected to be active since 2021, leveraging npm packages to steal source code and secrets from software developers. The packages were tied to cryptocurrency domains.
• In another incident, a malicious PyPI package, VMConnect, disguised itself as the legitimate VMware vSphere connector module vConnector to specifically target IT professionals. 

Conclusion

Malware continues to proliferate within open-source registries, even though developers are increasingly aware of the security risks associated with packages from unknown sources. The growing number of dependencies makes manual audits impractical. Consequently, employing automated solutions for detecting and blocking packages that violate defined policies is a prudent strategy for managing the threat of malware and other associated risks in the open-source ecosystem.