New Threats on the Block: Malware in Open Source Packages

The open-source ecosystem is a cornerstone of modern software development, fostering innovation and collaboration. However, its very openness makes it susceptible to various cyber threats. According to a report by Comparitech, in 2023, more than 100 million strains of malware and potentially unwanted applications (PUA) were identified, demonstrating that malware-related attacks remain a grave cyber threat. 

New Malware Families in Open Source Packages

Install-Tamper Malware

How They Work: This type of malware tampers with the installation process of open-source packages. It injects malicious code during the package installation, which can then execute whenever the package is used.

Vulnerabilities Exploited: Install-Tamper malware exploits the trust that users place in open-source repositories and the lack of rigorous security checks during the package installation process.

Protection Strategies: To protect against install tamper malware, it’s crucial to use verified and signed packages, enable two-factor authentication for repository accounts, and conduct regular security audits of dependencies.

Example of Install-Tamper Malicious Code: npm Package “colors” (2022)


The “colors” package is a popular npm library used for adding color effects to console logs. It is widely utilized in various Node.js applications.

How It Worked:

In early 2022, a version of the “colors” package was maliciously modified to include an infinite loop script within its main file. This alteration was made by the project maintainer himself, who allegedly did it as a protest against corporate use of open-source projects without adequate support or donations.


This modification caused any application using the compromised version of “colors” to crash, leading to widespread disruption among numerous businesses and software systems that depended on the package for their operations.

Lessons Learned:

This incident underscores the vulnerabilities inherent in the trust-based model of open-source package management. It highlights the need for maintainers to uphold ethical standards and for users to conduct thorough reviews and tests of third-party dependencies in their development environments. The “colors” case also stresses the importance of backing open-source maintainers to prevent burnout and unethical retaliations.

First-Use Backdoor

How They Work: This backdoor activates when an open-source package is imported and used for the first time. It can send system information to a remote server or download additional payloads.

Vulnerabilities Exploited: First-Use Backdoors take advantage of the execution of unverified code upon the first use of a package, often bypassing static analysis tools.

Protection Strategies: Reviewing and monitoring the code of newly imported packages and using dynamic analysis tools to detect unusual behavior are key to defending against First-Use Backdoors.

Example of First-Use Backdoor: Webmin Backdoor Incident (2019)


Webmin is a popular web-based interface for system administration for Unix. In 2019, it was discovered that the software had been compromised with a backdoor that had been present in the code for over a year before detection.

How It Worked:

The backdoor was secretly introduced into the Webmin GitHub repository through a compromised build server. The malicious code was only active if the administrator changed the password using the Webmin interface. Once triggered, it allowed remote command execution with root privileges.


The backdoor was shipped with Webmin versions from 1.882 to 1.921, affecting potentially over three million websites and servers. The backdoor opened systems to remote attackers who could potentially gain full control of the server, leading to data theft, server hijacking, and further network compromise.

Lessons Learned:

This incident highlights the critical vulnerability that can occur when build processes are compromised. It underscores the importance of securing build servers and conducting regular security audits of the software development lifecycle. The Webmin case also demonstrates the need for thorough vetting of software updates, even when they come from trusted sources.

Runtime-Compromise Worm

How They Work: This worm lies dormant within an open-source package and activates during runtime, potentially spreading to other packages and systems.

Vulnerabilities Exploited: Runtime-Compromise Worms exploit the interconnected nature of open-source projects where one compromised package can affect others.

Protection Strategies: Implementing strict runtime behavior monitoring and anomaly detection systems can help identify and mitigate such threats.

Example of Runtime-Compromise P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm


P2PInfect is a peer-to-peer (P2P) worm discovered by Unit 42 cloud researchers.

Written in Rust, a highly scalable and cloud-friendly programming language, this worm is capable of cross-platform infections and targets Redis, a popular open-source database application heavily used within cloud environments.

How It Works:

Initial Exploitation:

  • P2PInfect exploits the Lua sandbox escape vulnerability, CVE-2022-0543, in vulnerable Redis instances.
  • The vulnerability allows the worm to execute arbitrary code within the Lua scripting environment.

Payload Delivery:

  • Once initial access is achieved, P2PInfect drops an initial payload that establishes P2P communication to a larger network.
  • The worm then pulls down additional malicious binaries, including OS-specific scripts and scanning software.


  • The infected Redis instance joins the P2P network, providing access to other payloads for future compromised Redis instances.
  • P2PInfect targets both Linux and Windows operating systems, making it more scalable and potent than other worms.


Unit 42 researchers identified over 307,000 unique Redis systems communicating publicly over the last two weeks, of which 934 may be vulnerable to this P2P worm variant.

P2PInfect serves as an example of a serious attack threat actors could conduct using this vulnerability.

Lessons Learned:

Developers must review and verify their packages, keep dependencies up to date, and be cautious about package names and sources.

Vigilance and continuous monitoring are essential to prevent such supply chain attacks.

Dependency-Chain Attack

How They Work: Attackers compromise one package in a dependency chain, which then affects all other packages that rely on it.

Vulnerabilities Exploited: This attack exploits the trust in package dependencies and the cascading effect of one compromised package.

Protection Strategies: Using a software composition analysis tool to track and manage open-source components and their dependencies can protect against Dependency-Chain Attacks.

Example of Dependency-Chain Attack npm Package “event-stream” (2018): A Supply Chain Compromise


In 2018, the popular npm package called “event-stream” was compromised.

The attack involved a dependency-chain manipulation that affected unsuspecting users.

How It Worked:

Initial Compromise:

  • The attacker took over a less-used dependency called “flatmap-stream.”
  • They injected malicious code into “flatmap-stream.”


  • The compromised “flatmap-stream” was included as a dependency in the widely used package “event-stream.”
  • Many projects unknowingly installed the compromised “event-stream” package.


The attacker gained access to sensitive information from unsuspecting users.

The incident highlighted the risks of supply chain attacks via dependencies.

Lessons Learned:

Developers must review and verify their packages, keep dependencies up to date, and be cautious about package names and sources.

Vigilance and continuous monitoring are essential to prevent such supply chain attacks.

Protection Strategies for Open Source Security

Organizations leveraging open-source software need robust protection measures. Xygeni provides a simplified, proactive approach to cybersecurity. By focusing on prevention, real-time action, and comprehensive analysis, Xygeni ensures your projects are protected from emerging threats and malicious code on 3rd party dependencies.

Make Informed Decisions with a Complete Package Analysis

Evaluate the security of open-source packages quickly and effectively with Xygeni. It enables developers to assess millions of packages effortlessly, ensuring the safety and reliability of the components you choose for your projects. Optimize your selection process while enhancing the security of your applications.

Defend Proactively with Real-Time Malware Detection

Take action against threats before they infiltrate your systems. Xygeni’s real-time scanning blocks zero-day malware, including typosquatting and dependency confusion, at the moment of publication. This immediate protection prevents malware from entering workstations and development environments, safeguarding your projects from the outset.

Enhance Supply Chain Security

Monitor updates in real time to prevent compromised packages from affecting your projects. Xygeni’s vigilant supply chain protection detects and blocks suspicious changes, ensuring the integrity of your dependencies. With Xygeni, you can maintain a secure, reliable supply chain, preventing issues before they can cause harm.

Enhance your security strategy with Xygeni and experience the peace of mind that comes from knowing your software and data are secure.

Explore Xygeni's Features!
Watch our Video Demo

Unifying Risk Management from Code to Cloud

with Xygeni ASPM Security