FortiGuard Labs has tracked various malicious software packages since November 2024, highlighting a range of techniques used by attackers to exploit system vulnerabilities. The analysis reveals tactics such as low-file-count packages, suspicious install scripts, and command-and-control communication methods, showcasing the malicious intent concealed within software installations. Affected: software environments, developers
Keypoints :
- FortiGuard Labs identified 1,082 malicious packages with low file counts.
- 1,052 packages included suspicious install scripts that could deploy harmful code silently.
- 1,043 packages lacked a repository URL, raising concerns about their legitimacy.
- 974 packages contained suspicious URLs that may communicate with command-and-control servers.
- 681 packages utilized suspicious APIs for data exfiltration or remote control activities.
- Significant examples of Python, Node.js, and JavaScript scripts were highlighted as methods of attack.
- Malicious software trends underscore the need for rigorous security measures.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Suspicious URLs used for command-and-control communication.
- T1059.001 – Command and Scripting Interpreter: Malicious install scripts deploying harmful code.
- T1070.001 – Indicator Removal on Host: Use of low file counts and empty descriptions to evade detection.
- T1027 – Obfuscated Files or Information: Use of coding techniques such as base64 encoding for hiding malicious intent.
- T1036 – Masquerading: High version numbers masking malicious software as legitimate.
Indicator of Compromise :
- [Package] affineQuant-99.6/main.py
- [Package] amzn-aws-glue-ml-libs-python-6.1.5/setup.py
- [Package] amzn-awsglue-6.1.4/setup.py
- [Package] seller-admin-common_6.5.8/index.js
- [Package] xeno.dll_1.0.2/index.js