Skip to main content
Skip table of contents

Detecting Malicious Packages

Overview

Mend detects malicious packages in your projects and provides detailed information about the threats that they carry. Malicious packages must be removed immediately as they contain functionality that actively seeks to undermine, steal data, or inject malicious code into your app.

How Can I Use This?

Detect Malicious Packages

Malicious package detection is now part of Mend scans. Findings are reported in the standard Mend UI, you are immediately notified right in the main Dashboard:

Mend employs unique methods for malicious package detection that delivers accurate results with very few false-positives. It checks many parameters besides library signatures to determine if a package poses a risk. Mend’s security research team further augments the automated analysis for even greater accuracy.

Here are some malicious package types that may be encountered:

Protestware

This type of malware promotes a particular political or social cause. Its goal is to display images and messages related to the cause, and in some cases it may perform malicious actions like deleting files, altering data, or disrupting the normal operation of a system.

Info Stealers

Information-stealing malware gathers valuable information from infected systems which can then be used for various malicious purposes, such as identity theft, financial fraud, corporate espionage, or further cyberattacks. Info stealers use various techniques to obtain sensitive data, including keylogging, clipboard monitoring, browser data extraction, screen capturing, memory scraping, and much more.

Crypto Miners

These programs are designed to mine cryptocurrencies, such as Bitcoin, Bonero and Ethereum, on the victim’s machine without the target’s consent. Miners generate revenue for the attacker by utilizing the target’s computer resources, leading to performance degradation. Miners are stealthy and so hard to detect, and they persist even after restarting or shutting down the machine.

Obfuscation code

Obfuscated code replaces an application’s code and it has been intentionally altered to make it difficult for humans or automated tools to detect. Obfuscation techniques are often employed by attackers to hide the presence of active malicious code and bypass security measures.

Common obfuscation techniques include variable and function renaming, control flow obfuscation, string obfuscation, code packing, dead code insertion and ‘opaque predicates’.

Remote Reverse Shells

This malicious software establishes a connection between an infected system and an attacker's machine, providing the attacker unauthorized access and control over the target system, opening it to data theft, system reconnaissance, entry to the network and deploying additional malware.

Malware dropper

Cybercriminals often use droppers to bypass security measures and avoid detection by antivirus apps since they are disguised as legitimate or innocuous files. Their primary purpose is to deliver and install other malware components onto a target system.

Remove a Malicious Package

In general, there are no remedies for malicious packages. Upgrading to a newer version is not l likely to help since the risk usually persists. Downgrading to an older, unaffected package is an option, but the best solution is to remove the package from your project and find a different one to use instead.

However, there are some things to check. Look at the name and the version of the package carefully, they may have been changed slightly from the original to confuse you. Check that you downloaded the package from a reputable source, and check online forums for more information. Notify the registry managers (e.g. npm, pyPI) about the package.

How Does It Work?

If any malicious libraries are found during a scan, they will be reported in the Mend UI. In the main Dashboard, a notice at the top warns that malicious libraries have been found during the scan, and the numbered diamonds in the Security Alerts section indicate the number of affected libraries in the project.

Click on either Per-Library or Per-Vulnerability Alerts to see which libraries have been identified:

Click on one of the listed libraries to view details of the malicious code in the library, including the specific attack vector and a detailed listing of the CVSS metrics:

Click the MSC name to view detailed information about the package along with a link to the package in the repository. Changes in a package’s files can provide insight into the attacker’s intent.

Getting It Done

Requirements and Setup

Malicious package detection is built into Mend CLI, no additional setup is required. Simply run a scan with the Mend CLI either manually or as part of a pipeline build.

Malicious Package Alerts

The best place to view information about malicious packages is in the Mend UI as described above. In addition, reports of malicious packages are given in the Mend CLI terminal output, in IDE and repository integrations, and in pipeline plugins.

Recommendations

  1. Make sure that the package was downloaded from a reputable registry.

  2. Packages containing spam or protestware are not considered harmful, although they do signal that someone with malicious intent has their eyes on the package.

  3. If the package is a popular one (say, with more than 10k downloads), than this is likely an isolated “account takeover” incident and it may then be possible to downgrade or upgrade the package version.

  4.  Mend recommends contacting your security department immediately so that they can take further action such as:

    1. Reviewing logs and other system data to determine if the package has compromised any sensitive information or caused other damage.

    2. Disconnecting the affected system from the network to prevent further data exfiltration or spread of the malicious package.

    3. Limiting access to the affected environment to essential personnel.

Remember, malicious packages are nothing like regular open-source vulnerabilities (CVEs). Vulnerabilities represent a potential threat to your environment, whereas malicious packages must be treated as active cyber attacks.

Mend.io - Supply Chain Defender

This video provides demonstrates Supply Chain Defender detecting a malicious package within a Github pull request.

Reference

Supported threat types

The following threats are detected by Mend CLI:

  • Data exfiltration

  • Spam packages

  • Protestware

  • Info stealers

  • Crypto miners

  • Obfuscation code

  • Remote reverse shells

  • Malware dropper

Note: Mend’s Supply Chain Defender identifies most of the threat covered here, and it may still be used to find malicious dependencies in Ruby and JavaScript projects.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close