TurkoRat has infiltrated NPM! More malicious packages terrorize developers

Researchers ReversingLabs discovered in the popular JavaScript– repositories NPM two malicious packages hiding TurkoRat, information stealing software.

Packages named “nodejs-encrypt-agent” and “nodejs-cookie-proxy-agent” were downloaded approximately 1200 times in total and were available for more than two months before they were identified and removed.

Both packages were popular because they had a similar name to other popular packages commonly used by developers. This is a classic scheme for placing malicious packages in developer repositories.

ReversingLabs described TurkoRat as “an information theft tool capable of collecting sensitive information such as login credentials, cookies, and data from cryptocurrency wallets.”

The growing use of malicious packages in various public repositories and directories fits into a larger picture of the growing interest of attackers in open source software supply chains.

Literally yesterday we wrote about malicious extensions Microsoft VSCode Marketplaceand a lot of news this year came out about malicious packages in pypi , NPM , NuGet and other repositories for developers.