audit node modules with yara
Intial release
The purpose of this tool is to run a given set of YARA rules against the given node_module folder.
With this approach, We can define YARA rules to identify suspicious scripts which are injected into node packages.
Mainly inspired by these articles.
This package can be added to the CI/CD pipeline as mentioned below (CI/CD integration).
git clone https://github.com/rpgeeganage/audit-node-modules-with-yara.gitmake NODE_MODULE_FOLDER_TO_AUDIT=<path to node_module> runmake NODE_MODULE_FOLDER_TO_AUDIT=../restful4up/node_modules runThe report is available in artifacts/output.json.
[
{
"rule": "evil_package_1",
"string_information": [
"0x6:$name: "name": "nodecaffe",",
"0x1f:$version: "version": "0.0.1""
]
},
{
"rule": "evil_package_2",
"string_information": [
"0x6:$name: "name": "sqlserver",",
"0x1f:$version: "version": "4.0.5""
]
},
{
"rule": "evil_package_3",
"string_information": [
"0x1d:$scripts: "scripts":",
"0x39:$install: "mkdir -p ~/Desktop/sploit && touch ~/Desktop/sploit/haxx""
]
}
]We can use this tool with CI/CD as mentioned below.
#!/bin/bash
make NODE_MODULE_FOLDER_TO_AUDIT=../restful4up/node_modules run
suspicious_file_count=$(jq length artifacts/output.json)
exit $suspicious_file_countWhen we need to add new YARA rules, they must be added to the yara_rules folder with extension .yara.
(Existing rules are created based on this article. They might be outdated)
A possible rule is as below.
rule evil
{
meta:
name = "[email protected]"
strings:
$scripts = /"scripts":/
$install = /"mkdir -p ~/Desktop/sploit && touch ~/Desktop/sploit/haxx"/
condition:
all of them
}Save this rule in yara_rules folder as evil.yara, and good to go
