Recently identified npm packages called "node-request-ip", "request-ip-check" and "request-ip-validator" impersonate handy open source utilities relied upon by developers to retrieve an external IP address but instead target Windows, Linux and macOS users with malicious executables which are trojans and cryptocurrency stealers.
Careful with that: Not all IP checkers are just that
It isn't uncommon for developers to use lightweight open source libraries like, for example, is-even that accomplish rather simple tasks but save a programmer the trouble of reinventing the wheel and introducing any unexpected bugs.
Similarly, while NodeJS code for obtaining the external IP address of a system should be pretty straightforward, a handful of utilities exist on the npmjs.com registry which help programmers accomplish this task a tad faster. However, recently a malicious actor began publishing counterfeit utilities under the guise of simple IP checker and validation tools to lure unsuspecting devs in.
Tracked as sonatype-2024-011414 ,these components were flagged by Sonatype's automated malware detection systems and blocked by Sonatype Repository Firewall.
Analyzed by our security researchers Carlos Fernández and Adam Reynolds, the packages listed below only pretend to be "a small Node.js module to retrieve the request's IP address," and imitate the legitimate "request-ip" package:
- node-request-ip
- request-ip-check
- request-ip-validator
These packages, however, contain obfuscated code to download one or more executables targeting Windows and macOS machines. Both the "ip.js" and "in.js" files in these packages contain obfuscated code, a part of which is shown below.
The strings contained in the code reveal an interesting IP address 95.216.251[.]178 which is where several questionable binaries are being downloaded from. Different endpoints (shown above) retrieve different binaries which are OS-specific, including EXEs for Windows EXEs and ELFs for Linux systems.
VirusTotal analyses of some of these files are linked to below:
- A counterfeit 'svchost.exe' named after a legitimate Windows systems process.
- A 'gsd-mouse' Linux executable (ELF) which has been flagged as a trojan by several antivirus engines.
- A 'node.exe' executable, which has had zero detections thus far on VirusTotal
- A JavaScript file 'index' containing executable code.
An ANY.RUN sandbox run-through for 'svchost.exe' is provided below for reference and helps us evaluate the dynamic behavior of the suspicious executable.
Overall, the different executables delivered by these typosquatting packages are trojans, info-stealers, or cryptocurrency stealers.
Referring to these packages, Fernández advises:
"In recent malware campaigns, attackers are using NPM packages like node-request-ip to stealthily download and install a node binary tailored to the victim’s OS — whether Windows, Linux, or macOS. This binary installation guarantees the attackers can consistently execute malicious JavaScript code on the infected machine, regardless of the local environment, a tactic that’s becoming increasingly common."
"Once this binary is in place and running in the background, the malware could open a WebSocket connection to an attacker-controlled command-and-control server, like node-request-ip does. Through this connection, attackers can send commands to exfiltrate valuable data, inject additional files, and even modify or delete system files at will, effectively turning the victim’s machine into a botnet node. This setup enables continuous monitoring and remote control, allowing attackers to harvest sensitive information from the network of compromised devices."
Part of a larger campaign spanning months
In September, researchers at cybersecurity firm Socket discovered an "express-dompurify" typosquat which appeared to impersonate the legitimate, vastly popular npm library, dompurify. Socket's analysis shed light on the "data uploading mechanism" of the typosquat and reveals the same IP address which is associated with our findings.
We further found the occurrence of this very IP address in the following typosquatting packages detected by us:
- bcryptutils
- express-bcryptjs
- express-core-cache
- express-eval
- nestjs-validator
All of this is a fairly positive indicator that the same (group of) threat actor(s) is behind a larger campaign pushing these typosquats and misleading packages to target different niches of developers with a vast arsenal of carefully crafted binaries specific to their system architectures.
Open source malware blocked by Sonatype Repository Firewall
This isn't the first time a stunt like this has been pulled, but it's a stark reminder of threat actors' evolving tactics and commitment to exploiting the open source ecosystem for nefarious reasons. The case highlights a pressing need for improved supply chain security measures and greater vigilance in monitoring third-party software registries developers. Organizations must prioritize security at every stage of the development process to mitigate risks associated with third-party dependencies.
Sonatype Repository Firewall and Sonatype Lifecycle stay on top of nascent attacks and vulnerabilities and provide you with detailed insights to thwart previously undetected malware, Potentially Unwanted Applications (PUAs), and vulnerable components from reaching your builds:
Malicious open source is designed to evade typical software composition analysis (SCA) scanners. However, users of Sonatype Repository Firewall can rest easy knowing that these packages would automatically be blocked from reaching their development builds and keep their software development life cycle (SDLC) hygienic.
