Today’s Security Tidbit: An Encrypted JSON File Containing Malicious Code

As security researchers, we see new malicious methods being introduced on a daily basis from the ever-industrious global cadre of malicious actors. But not all of the things we find constitute breaking news. Sometimes, we run across something that doesn’t necessarily pose a threat, but still piques our interest. Instead of being the security equivalent of a four-course meal, it’s more of an amuse bouche. 

Case in point: an interesting new behaviour we recently encountered from a security researcher. In this instance, we observed a malicious package named ‘support-center-components’ that is executed upon installation. What really caught our interest here is that the harmful code is not only in a JSON file, but it is also fully encrypted.

JSON is a lightweight data-interchange format, and it is used for data purposes. A package.json file is located at the root of any Node.js project and is critical for the installation and operation of the project. Data from this JSON file enables dependency installation, script running and more. However, it is not generally used for malicious code – and especially not encrypted malicious code.

Inside the package

Let’s take a look at what this particular person came up with. The package contains 5 files: 

• A standard README file
• A package.json file containing a preinstall command for the install.js file we will inspect shortly
• An empty index.js file
• Two one-liner files, install.js and install.json

Figure 1 – the content of the package

The install.js and install.json are what caught our attention, as an inspection of the screenshots below will illustrate: 

Figure 2 – the install.js file and the encrypted install.json file

Figure 5 – the README file of the package ‘support-center-components’

Impact

Now, a security researcher playing around on npm is not generally considered a threat, and by no means do we want to imply that it is. But bear in mind that malicious authors often mimic each other’s code, which raises the risk that we will see a repeat of this method of encrypted malicious code. And next time, it could well use a more dangerous code in the JSON file, such as a remote shell.

How to protect your organization 

Supply chain attacks evolve and grow more frequent each day. The easiest way to protect this attack surface is to use an automated supply chain security solution such as Mend Supply Chain Defender, which informs you when you import a malicious package from open source registries. 

Mend enterprise customers using JFrog Artifactory as a private repository manager can prevent malicious open source software from entering their code base using the Mend Supply Chain Defender Integration with JFrog Artifactory. Learn how Mend Supply Chain Defender blocks software supply chain attacks.

Manage open source risk

Read the report