This security update discusses two malicious packages discovered in the npm package repository.
One of them, nodejs-encrypt-agent, was found to contain an open source trojan called TurkoRat along with a dependency named axios-proxy.
This trojan was also found to masquerading as another legitimate npm module called agent-base.
The findings once again underscore the ongoing risk of threat actors orchestrating supply chain attacks via open source packages and baiting developers into downloading potentially untrusted code.
The growing use of malicious npm packages fits in with a broader pattern of surging attacker interest in open source software supply chains, not to mention highlighting the increasing sophistication of threat actor.
Symantec describes the finding as further proof that threat actors increasingly sophisticated in their attack strategies
๐ Feeling the vibes?
Keep the good energy going by checking out my Amazon affiliate link for some cool finds! ๐๏ธ
If not, consider contributing to my caffeine supply at Buy Me a Coffee โ๏ธ.
Your clicks = cosmic support for more awesome content! ๐๐
Leave a Reply