Skip to content

Audit Node Module folder with YARA rules to identify possible malicious packages hiding in node_moudles

Notifications You must be signed in to change notification settings

rpgeeganage/audit-node-modules-with-yara

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Audit Node Modules With YARA Rules

(New Rules, Feedbacks, PRs are highly appreciated)

Table of content

Purpose

Software Requirements

  • Docker
  • Docker Compose
  • Makefile

How to use

  1. Clone this repo
git clone https://github.com/rpgeeganage/audit-node-modules-with-yara.git
  1. Execute audit operation
make NODE_MODULE_FOLDER_TO_AUDIT=<path to node_module> run

e.g:

make NODE_MODULE_FOLDER_TO_AUDIT=../restful4up/node_modules run

Report

The report is available in artifacts/output.json.

A sample report looks as follows

[
 {
  "rule": "evil_package_1",
  "string_information": [
   "0x6:$name: \"name\": \"nodecaffe\",",
   "0x1f:$version: \"version\": \"0.0.1\""
  ]
 },
 {
  "rule": "evil_package_2",
  "string_information": [
   "0x6:$name: \"name\": \"sqlserver\",",
   "0x1f:$version: \"version\": \"4.0.5\""
  ]
 },
 {
  "rule": "evil_package_3",
  "string_information": [
   "0x1d:$scripts: \"scripts\":",
   "0x39:$install: \"mkdir -p ~/Desktop/sploit && touch ~/Desktop/sploit/haxx\""
  ]
 }
]

CI/CD Integration

We can use this tool with CI/CD as mentioned below.

#!/bin/bash
make NODE_MODULE_FOLDER_TO_AUDIT=../restful4up/node_modules run

suspicious_file_count=$(jq length artifacts/output.json)

exit $suspicious_file_count

Adding YARA new rules

When we need to add new YARA rules, they must be added to the yara_rules folder with extension .yara.

(Existing rules are created based on this article. They might be outdated)

Sample YARA rule

Let's create a rule for this possible malicious package.

A possible rule is as below.

rule evil
{
    meta:
        name = "evil@0.0.1"

    strings:
        $scripts = /"scripts":/
        $install = /"mkdir -p ~\/Desktop\/sploit && touch ~\/Desktop\/sploit\/haxx"/

    condition:
        all of them
}

Save this rule in yara_rules folder as evil.yara, and good to go