This Week in Malware - Over 100 packages discovered
6 minute read time
This week in malware, we discovered and analyzed more than 100 packages flagged as malicious, suspicious, or dependency confusion attacks in npm and PyPI registries.
Malicious packages caught by Sonatype
We caught the following this week via Sonatype's automated malware detection system, offered as a part of Sonatype Repository Firewall:
1inch
4ff-lib-foundation
@malware-test-bises-celts-borel-sneak/test-mlw3-bises-celts-borel-sneak
@malware-test-jelly-poled-trull-tokes/test-mlw3-jelly-poled-trull-tokes
@malware-test-lazar-bales-avows-inkle/test-mlw3-lazar-bales-avows-inkle
@malware-test-merge-agony-whits-blate/test-mlw3-merge-agony-whits-blate
@malware-test-piles-perky-glory-sahib/test-mlw3-piles-perky-glory-sahib
@malware-test-pling-pangs-birks-cubit/test-mlw3-pling-pangs-birks-cubit
@schnux/example
@step-security/malware-simulator
ahahjesus
amitbhai
anis-regex
ansi-ergex
ansi-reegx
ansi-regxe
ansi-rgeex
asni-regex
aynmatch
aypports-color
cis-publishers
cloudflare-plugin-frontend
coveragepublisher
cumul.io-integration
cumul.io-plugin-citybikes
cumul.io-plugin-mysql
d2-collection
darshanno1
dcrdata
demozeel
deubg
dexclient
discord-external
dup-glob
dupport-colors
dypports-color
edbug
esrtaverse
estarverse
estraevrse
estraveres
estravesre
estravrese
estrvaerse
ethereum0etl
ethereum2
etsraverse
xxx-sdk-sample-node * intentionally redacted to protect the target
example-gke-workload-identity-app
finn-style
futures-sdk
ginore
glob-aprent
ibiza-universe
ignoer
ignroe
imcromatch
ingore
log-status
mciromatch
micormatch
micrmoatch
micro-ed25519-hdkey
microamtch
micromacth
micromtach
mircomatch
navigator-updatertest
naymatch
pip-foo
predpatt
retrap
setraverse
shopify-marketplaces-admin-app
sjesc
soupports-colors
spuports-color
srv-configs
suopport-colors
supoprts-color
supporst-color
supports-cloor
supports-colro
supports-coolr
supports-oclor
suppotrs-color
supprots-color
suypport-colors
sypport-color
syupport-colors
tds-publish
tensorflow-estimator-2.0-preview
test-mlw1-bises-celts-borel-sneak
test-mlw1-goals-roker-elmen-bongo
test-mlw1-karat-jowar-scurs-pearl
test-mlw1-noops-semis-edict-bokes
test-mlw1-ogres-bogle-kakas-bogus
test-mlw1-picky-argal-cried-alloy
test-mlw1-piles-perky-glory-sahib
test-mlw1-pling-pangs-birks-cubit
test-mlw1-rakee-clasp-mudir-ovoid
test-mlw1-salto-drags-hunks-chiao
test-mlw1-tasty-fazed-witan-quins
test-mlw2-bises-celts-borel-sneak
test-mlw2-picky-argal-cried-alloy
test-mlw2-pling-pangs-birks-cubit
test-mlw2-salto-drags-hunks-chiao
test-mlw2-tasty-fazed-witan-quins
tlsib
tomcrypt
tsilb
tslbi
uspports-color
utility-common-v2
wanger
warprnnt-pytorch
webcm-dev
websocket-template
Y1zh3e7
These discoveries follow our report last week of over 130 new packages discovered.
Turn on Sonatype Repository Firewall for automatic protection
As a DevSecOps organization, we remain committed to identifying and halting attacks, such as those mentioned above, against open source developers and the wider software supply chain.
Users of Sonatype Repository Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.
Sonatype Repository Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in progress, thereby keeping your software supply chain protected from the start.
Sonatype's world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.
Written by Aaron Linskens
Aaron is a technical writer on Sonatype's Marketing team. He works at a crossroads of technical writing, developer advocacy, software development, and open source. He aims to get developers and non-technical collaborators to work well together via experimentation, feedback, and iteration so they can build the right software.
Explore All Posts by Aaron Linskens