News and Notes from the Makers of Nexus | Sonatype Blog

Counterfeit Lodash attack leverages AnyDesk to target Windows users

Written by Ax Sharma | October 04, 2024

npm packages identified by Sonatype recently are named similar to the vastly popular JavaScript library, lodash. These packages abuse typosquatting and carry within them a modified version of AnyDesk utility to target developers using the Windows OS.

lodasher... isn't lodash

Tracked as sonatype-2024-011383, the npm package "lodasher" is named closely after the popular Lodash library and even has version ranges which lines with the real library. Whereas, the latest version of real Lodash ends at v4.17.21, that of the counterfeit package is v4.17.24, making it appear to be newer of the two components.

The illicit package along with similar packages named "laodasher," and "them4on" were all published by the same author and identified by Sonatype's automated malware detection systems that power groundbreaking products like Sonatype Repository Firewall.

Sonatype security researcher Carlos Fernandez analyzed these packages.

Altogether these packages received 850 downloads, broken down as follows:

The manifest file (package.json) describes "lodasher" as "A utility library that simplifies working with arrays, objects, and other data types, providing a rich set of functions for common programming tasks," much of what the legitimate Lodash is for.

Notice the "author" of the illicit package listed as "Microsoft" too, the parent company of npm and GitHub.

The main "index.js" file with functional code in the package contains simple base64-obfuscated code:

The purpose of this code is to ultimately launch a "dataset.db" file bundled within the package.

Don't be misled, however, the so-called "dataset.db" isn't a database but a Windows executable (EXE), and in fact a tainted version of the AnyDesk Remote Desktop utility.

"The code first checks if a directory named Google exists within the APPDATA path (the standard folder for storing user-specific application data). If the directory doesn't exist, it creates it," explains Fernandez.

After performing a few checks, the code ultimately copies this AnyDesk utility under the newly created Google folder and renames it to Chrome.exe.

"After a 5-second delay, the code attempts to execute this renamed Chrome.exe file, which is actually the AnyDesk.exe program," further explains the researcher.

AnyDesk versions bear an old code signing certificate

Recent AnyDesk breach had source code, certificates stolen

A test run on ANY.RUN sandbox for the executable in question launched, what looked like the real AnyDesk utility communicating with AnyDesk nodes across Europe.

We further observed the binary making questionable connections to domains like api.playanext.com, but those are very likely to be legitimate AnyDesk domains seen in previous reports.

In January 2024, AnyDesk experienced a "cybersecurity incident" in which AnyDesk's production servers had been breached. The attack involved threat actors stealing AnyDesk's source code and code signing certificates. An older, example binary shown in BleepingComputer's report bears a compromised code signing certificate from "philandro Software GmbH," whereas newer AnyDesk binaries signed with fresh (secure) certificates are issued by "AnyDesk Software GmBH."

The AnyDesk executable bundled within the illicit npm package carries a "philandro Software GmBH" certificate with a signing date of "April 7, 2020." Granted, reports of AnyDesk cybersecurity incident surfaced in 2024, one cannot rely on AnyDesk binaries signed with previous certificates, some of which have been revoked:

VirusTotal analysis thus far shows the EXE has zero-detections as it may very well contain legitimate functionalities of AnyDesk, but the EXE has been seen in previous threat campaigns and bears a negative ("-26") community score.

AnyDesk's most recent advice following the breach remains for users to "ensure that you are using the latest version, with the new code signing certificate."

'lodasher' mentioned in READMEs of legitimate packages

Fernandez pointed out that the docs and READMEs of real npm packages like 'restrict-imports-loader' make references to "lodasher" in one of the examples demonstrating the capabilities of restrict-imports-loader. But, this could in turn lend some unnecessary credibility to the illicit package:

....

Open source malware blocked by Sonatype Repository Firewall

While AnyDesk incident was contained earlier this year and any compromised binaries, if applicable, associated with the attack may no longer be potent in helping attackers achieve their goals, this incident is a stark reminder of threat actors' evolving tactics and commitment to exploiting the open source ecosystem for nefarious reasons. For example, it wouldn't be impossible for threat actors to leverage trojanized versions of remote desktop utilities like AnyDesk or TeamViewer to conduct their spying operations.

The case highlights a pressing need for improved supply chain security measures and greater vigilance in monitoring third-party software registries developers. Organizations must prioritize security at every stage of the development process to mitigate risks associated with third-party dependencies.

Sonatype Repository Firewall and Sonatype Lifecycle stay on top of nascent attacks and vulnerabilities and provide you with detailed insights to thwart previously undetected malware, Potentially Unwanted Applications (PUAs), and vulnerable components from reaching your builds:

Threat actors create malicious software components and distribute them through public open source repositories. This tactic is growing in popularity, and malicious open source is rapidly expanding. 


Malicious open source is designed to evade typical software composition analysis (SCA) scanners. However, users of Sonatype Repository Firewall can rest easy knowing that these packages would automatically be blocked from reaching their development builds and keep their software development life cycle (SDLC) hygienic.