Dev News: Trouble in npm, Vue 3.3 and Cloudflare Updates
ReversingLabs researchers revealed Thursday that two malicious packages lived on npm for two months before being detected.
“The presence of such suspicious characteristics and behaviors first caused the npm package nodejs-encrypt-agent to come to our attention,” wrote Lucija Valentić, a software threat researcher at ReversingLabs. “First published more than two months ago, nodejs-encrypt-agent appears at first glance to be a legitimate package. However, discrepancies raised red flags with our researchers.”
Researchers detected an open source info stealer called TurkoRat, after noting several red flags in the files, including that the package name differed from the name listed in the readme.md file and versioning number irregularities in the npm package nodejs-encrypt-agent. At first, they dismissed the findings, thinking npm administrators would have recognized if the package was malicious. But the researchers decided to analyze the packages using its Software Supply Chain Security solution.
“When we looked inside the nodejs-encrypt-agent, we found that the code and functionality mirrored the agent-base package it was squatting on. That is to be expected,” Valentić stated. “There was, however, a small, but very significant difference: The nodejs-encrypt-agent package contained a portable executable (PE) file that, when analyzed by ReversingLabs was found to be malicious.”
The code was also found in a few nodejs-cookie-proxy-agent packages. The researcher team noted that exposure was limited, with the nodejs-encrypt-agent downloaded about 500 times and the nodejs-cookie-proxy-agent downloaded less than 700 times.
“Still, the malicious packages were almost certainly responsible for the malicious TurkoRat being run on an unknown number of developer machines. The longer-term impact of that compromise is difficult to measure,” Valentić noted.
The PE file executes almost immediately after the package runs, enacting malicious commands hidden in the first few lines of the index.js file, the researchers found.
Among the bad behaviors identified in the PE component are the ability to:
- Write and delete from Windows system directories;
- Execute commands; and
- Tamper with domain name system settings.
“TurkoRat is just one of many open source malware families that are offered for ‘testing’ purposes, but can readily be downloaded and modified for malicious use, as well,” Valentić stated. “TurkoRat’s author clearly anticipates this, as he provides instructions on how to use malicious code, while stating that he is ‘not responsible for any damages this software may cause and that it was only made for personal education.’”
This is not the first time npm has made news for harboring malicious code.
“When using packages from public repositories in their projects, developers should keep an eye peeled for these small, but telling details to avoid a malicious package being introduced as a dependency in some larger project,” Valentić advised.
Vue 3.3 Focuses on Developer Experience with TypeScript
Vue 3.3 is now available, with the new release focused on developer experience. Specifically, it changed the SFC <script setup> usage with TypeScript, according to the Vue team.
The compiler can now resolve imported types and supports a limited set of complex types, which means types used in the type parameter position are no longer limited to local types and support more than type literals and interfaces, the team explained in this blog post.
Components using <script setup> can now accept generic type parameters via the generic attribute. Also in this upgrade:
- More ergonomic defineEmits
- Typed slots with defineSlots
It also introduces some experimental features, including reactive props destructure, which allows destructured props to retain reactivity and provided a more ergonomic way to declare props default values. Vue 3.3 also simplifies the usage of two-way binding with v-model via a new defineModel macro. Since both are experimental, they require an explicit opt-in, the team wrote.
It also addresses JSX import source support.
“Currently, Vue’s types automatically registers global JSX typing. This may cause conflict with used together with other libraries that needs JSX type inference, in particular React,” the post noted. “Starting in 3.3, Vue supports specifying JSX namespace via TypeScript’s jsxImportSource option. This allows the users to choose global or per-file opt-in based on their use case.”
It still registers JSX namespace globally to support backward compatibility — but be forewarned, the plan is to remove the default global registration in version 3.4. The blog post hits the highlights, but a complete list of changes is available on GitHub.
CDN CloudFlare Adds Next.js, Angular, other Adapters
An AI assistant, named Cursor, has been trained to answer questions about Cloudflare’s Developer Platform. This blog post outlines how Cloudflare sees AI evolving to fit developers’ needs, but Cursor will first be used as an addition to Cloudflare’s documentation to help developers get answers as quickly as possible. When asked a question, Cursor will provide a text-based response and links to relevant pages in the documentation.
Also on the AI front, it also introduced Constellation, which allows developers to run pre-trained machine learning models and inference tasks on Cloudflare’s network.
Finally, the company announced an improved Quick Edit in Cloudflare Workers and Wrangler v3. Quick Edit is embedded within the Cloudflare dashboard and is “the fastest way to get up and running with a new worker,” Cloudflare said. It allows developers to preview and deploy changes to code. Wrangler 3 provides developers with an easy-to-debug local testing environment.