Spectra Assure

failIncident: Malware

Scanned:

Merger

latest

removed

malicious

Research

Merging Tool, merges all nuget packages and libraries into one .net assembly

License: unknown

Published:

See on NuGet

SAFE Assessment

Compliance

Licenses

No license compliance issues

Secrets

2 debugging symbols found

Security

Vulnerabilities

No known vulnerabilities detected

Hardening

2 outdated toolchains detected

Threats

Tampering

1 components prone to hijacking

Malware

5 supply chain attack artifacts

INCIDENTS FOR THIS VERSION:

removal

Reported By: Community

malware

Reported By: ReversingLabs (Researcher)

See more info on our blog

List of software quality issues with the number of affected components.

Policies

Info

Problem

Proprietary ReversingLabs malware detection algorithms have determined that the software package contains one or more malicious components. The detection was made by either a static byte signature, software component identity, or a complete file hash. This malware detection method is considered highly accurate, and can typically attribute malware to previously discovered software supply chain attacks. It is common to have multiple supply chain attack artifacts that relate to a single malware incident.

Prevalence in NuGet community

0 packages

found in

Top 100

0 packages

found in

Top 1k

2 packages

found in

Top 10k

751 packages

in community

Next steps

If the software intent does not relate to malicious behavior, investigate the build and release environment for software supply chain compromise.

Avoid using this software package.

Problem

Threat researchers have manually inspected the software package and determined that it contains one or more malicious files. The detection was made by a hash-based file reputation lookup. This malware detection method is considered highly accurate, and can typically identify the malware family by name.

Prevalence in NuGet community

0 packages

found in

Top 100

0 packages

found in

Top 1k

1 packages

found in

Top 10k

749 packages

in community

Next steps

Investigate the build and release environment for software supply chain compromise.

Avoid using this software package.

Problem

Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Software developers publish components they have authored to public repositories. Open source projects are the intellectual property of their respective authors. At any time, the authors may choose to completely remove the software component from a public repository. This often occurs when a software project reaches its end-of-life stage, or when the software authors lose interest in maintaining the project. This kind of removal frees up the software package name, its unique software identifier in the public repository, for other developers to use. However, new software project owners might have malicious intent. Threat actors are continuously monitoring popular package names in case their unique identifiers suddenly become available for hijacking. Once the software projects falls under new ownership, the new maintainers may opt to use the project popularity to spread malware to unsuspecting users.

Prevalence in NuGet community

0 packages

found in

Top 100

1 packages

found in

Top 1k

34 packages

found in

Top 10k

240.72k packages

in community

Next steps

Inspect behaviors exhibited by the detected software components.

If the software behaviors differ from expected, investigate the build and release environment for software supply chain compromise.

Revise the use of components that raise these alarms. If you can't deprecate those components, make sure that their versions are pinned.

Avoid using this software package until it is vetted as safe.

Problem

Program database (PDB) files are typically only used during software development. They contain private debug symbols that make it significantly easier to reverse engineer a closed-source application. In some cases, having a program database file is equivalent to having access to the source code. Presence of program databases could indicate that one or more software components have been built using a debug profile, instead of the release.

Prevalence in NuGet community

0 packages

found in

Top 100

92 packages

found in

Top 1k

1151 packages

found in

Top 10k

21.32k packages

in community

Next steps

Private debug database files should not be embedded within executables, and you should remove them from the software package before releasing it.

The integrity verification of the embedded database files should not be done with insecure hashing algorithms. SHA1 and MD5 hashes should be deprecated throughout the application, and a more secure SHA256 algorithm should be used instead.

Problem

Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. While most behaviors are benign, some are commonly abused by malicious software with the intent to cause harm. When a software package shares behavior traits with malicious software, it may become flagged by security solutions. Any detection from security solutions can cause friction for the end-users during software deployment. While the behavior is likely intended by the developer, there is a small chance this detection is true positive, and an early indication of a software supply chain attack.

Prevalence in NuGet community

0 packages

found in

Top 100

27 packages

found in

Top 1k

936 packages

found in

Top 10k

22.91k packages

in community

Next steps

Investigate reported detections.

If the software intent does not relate to the reported behavior, investigate your build and release environment for software supply chain compromise.

You should delay the software release until the investigation is completed, or until the issue is risk accepted.

Consider rewriting the flagged code without using the marked behaviors.

Problem

Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Software developers publish components they have authored to public repositories. While a new software project is a welcome addition to the open source community. it is not always prudent to indiscriminately use the latest components when building a commercial application. Irrespective of the software quality, the danger of using components that are rarely used to build applications lies in the fact that the software component may contain novel, currently undetected malicious code. Therefore, it is prudent to review software component behaviors and even try out software component in a sandbox, an environment meant for testing untrusted code.

Prevalence in NuGet community

0 packages

found in

Top 100

118 packages

found in

Top 1k

1749 packages

found in

Top 10k

656.38k packages

in community

Next steps

Check the software component behaviors for anomalies.

Consider exploratory software component testing within a sandbox environment.

Consider replacing the software component with a more widely used alternative.

Avoid using this software package until it is vetted as safe.

Problem

Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Open source communities depend on the work of thousands of software developers that volunteer their time to maintain software components. Software developers build up the reputation of their open source projects by developing in public. Modern source code repositories have many social features that allow software developers to handle bug reports, have discussions with their users, and convey reaching significant project milestones. It is uncommon to find open source projects that omit linking their component to a publicly accessible source code repository.

Prevalence in NuGet community

99 packages

found in

Top 100

723 packages

found in

Top 1k

6007 packages

found in

Top 10k

575.57k packages

in community

Next steps

Check the software component behaviors for anomalies.

Consider exploratory software component testing within a sandbox environment.

Consider replacing the software component with a more widely used alternative.

Avoid using this software package until it is vetted as safe.

Problem

Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures verify the origin and the integrity of the object they apply to. The integrity validation relies on the cryptographic strength of the encryption and the hash verification algorithm. If either of the two is considered weak by current standards, there is a chance the signed object could be maliciously modified, without triggering the integrity failure check.

Prevalence in NuGet community

100 packages

found in

Top 100

899 packages

found in

Top 1k

8997 packages

found in

Top 10k

755.66k packages

in community

Next steps

Create signatures with strong ECC key-length of at least 224 bits, or RSA key-length of at least 2048 bits, and use SHA256 as the hashing algorithm. While encryption key-length upgrade does require you to obtain a new certificate, the hashing algorithm can freely be selected during signing.

With Microsoft SignTool, you can specify the hashing algorithm using the /fd SHA256 parameter.

Problem

Debug databases are typically only used during software development. On Windows, they are usually files embedded into the executable (PDB), while on Linux, they're contained inside special executable sections. The databases contain private debug symbols that make it significantly easier to reverse-engineer a closed-source application. In some cases, having a debug database is equivalent to having access to the source code. Presence of debug databases could indicate that one or more software components have been built using a debug profile, instead of the release. Private debug databases can be embedded into software components by programming language tools.

Prevalence in NuGet community

0 packages

found in

Top 100

101 packages

found in

Top 1k

1249 packages

found in

Top 10k

23.41k packages

in community

Next steps

To remediate this issue and remove private debugging information, refer to your programming language toolchain documentation.

Problem

Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures are made using digital certificates, which can either be purchased from certificate authorities or be self-issued. When a certificate is purchased from a certificate authority, the subject that requests it goes through an identity validation process. Depending on the certificate type, those checks can be basic or extended. Confirming the subject identity is a multi-step process, and the requesting subject can be mapped to its legal entity name only through extended validation of submitted documents. Extended identity validation typically costs more, and it takes longer for a certificate to be issued when this process is correctly followed.

Prevalence in NuGet community

100 packages

found in

Top 100

898 packages

found in

Top 1k

8984 packages

found in

Top 10k

754.38k packages

in community

Next steps

Consider the benefits of acquiring extended validation certificates. Operating systems tend to be more trusting of software packages signed in this way. Certain security warnings and prompts might also be automatically suppressed. This reduces the number of support tickets for organizations that opt to use extended validation certificates.

Did you know...

... that you can use ReversingLabs’ Spectra Assure platform to perform regular risk assessments of packages you develop in-house?

We recommend continuous software safeness monitoring through CI/CD integrations and pre-release/deployment checks. In addition to basic package information found on this page our platform offers rich reports for developers and DevSecOps that help them remediate all reported issues.

This website uses cookies to ensure the best website experience. By continuing to use this website you are giving your consent to cookies being used. Detailed information about our use of cookies is here.

List of software quality issues with the number of affected components.

Policies

Info

Problem

Prevalence in NuGet community

0 packages

found in

Top 100

0 packages

found in

Top 1k

2 packages

found in

Top 10k

751 packages

in community

Next steps

If the software intent does not relate to malicious behavior, investigate the build and release environment for software supply chain compromise.

Avoid using this software package.

Problem

Prevalence in NuGet community

0 packages

found in

Top 100

0 packages

found in

Top 1k

1 packages

found in

Top 10k

749 packages

in community

Next steps

Investigate the build and release environment for software supply chain compromise.

Avoid using this software package.

Problem

Prevalence in NuGet community

0 packages

found in

Top 100

1 packages

found in

Top 1k

34 packages

found in

Top 10k

240.72k packages

in community

Next steps

Inspect behaviors exhibited by the detected software components.

If the software behaviors differ from expected, investigate the build and release environment for software supply chain compromise.

Revise the use of components that raise these alarms. If you can't deprecate those components, make sure that their versions are pinned.

Avoid using this software package until it is vetted as safe.

Problem

Prevalence in NuGet community

0 packages

found in

Top 100

92 packages

found in

Top 1k

1151 packages

found in

Top 10k

21.32k packages

in community

Next steps

Private debug database files should not be embedded within executables, and you should remove them from the software package before releasing it.

Problem

Prevalence in NuGet community

0 packages

found in

Top 100

27 packages

found in

Top 1k

936 packages

found in

Top 10k

22.91k packages

in community

Next steps

Investigate reported detections.

If the software intent does not relate to the reported behavior, investigate your build and release environment for software supply chain compromise.

You should delay the software release until the investigation is completed, or until the issue is risk accepted.

Consider rewriting the flagged code without using the marked behaviors.

Problem

Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Software developers publish components they have authored to public repositories. While a new software project is a welcome addition to the open source community. it is not always prudent to indiscriminately use the latest components when building a commercial application. Irrespective of the software quality, the danger of using components that are rarely used to build applications lies in the fact that the software component may contain novel, currently undetected malicious code. Therefore, it is prudent to review software component behaviors and even try out software component in a sandbox, an environment meant for testing untrusted code.

Prevalence in NuGet community

0 packages

found in

Top 100

118 packages

found in

Top 1k

1749 packages

found in

Top 10k

656.38k packages

in community

Next steps

Check the software component behaviors for anomalies.

Consider exploratory software component testing within a sandbox environment.

Consider replacing the software component with a more widely used alternative.

Avoid using this software package until it is vetted as safe.

Problem

Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Open source communities depend on the work of thousands of software developers that volunteer their time to maintain software components. Software developers build up the reputation of their open source projects by developing in public. Modern source code repositories have many social features that allow software developers to handle bug reports, have discussions with their users, and convey reaching significant project milestones. It is uncommon to find open source projects that omit linking their component to a publicly accessible source code repository.

Prevalence in NuGet community

99 packages

found in

Top 100

723 packages

found in

Top 1k

6007 packages

found in

Top 10k

575.57k packages

in community

Next steps

Check the software component behaviors for anomalies.

Consider exploratory software component testing within a sandbox environment.

Consider replacing the software component with a more widely used alternative.

Avoid using this software package until it is vetted as safe.

Problem

Prevalence in NuGet community

100 packages

found in

Top 100

899 packages

found in

Top 1k

8997 packages

found in

Top 10k

755.66k packages

in community

Next steps

With Microsoft SignTool, you can specify the hashing algorithm using the /fd SHA256 parameter.

Problem

Prevalence in NuGet community

0 packages

found in

Top 100

101 packages

found in

Top 1k

1249 packages

found in

Top 10k

23.41k packages

in community

Next steps

To remediate this issue and remove private debugging information, refer to your programming language toolchain documentation.

Problem

Prevalence in NuGet community

100 packages

found in

Top 100

898 packages

found in

Top 1k

8984 packages

found in

Top 10k

754.38k packages

in community

Merger

SAFE Assessment

Compliance

Security

Threats

IMPORTANT: All versions of this package have been maliciousLatest version with malware incident detected: about 2 years agoVersion: 4.2.6

INCIDENTS FOR THIS VERSION:

SQ30105Detected presence of known software supply chain attack artifacts.Causes risk: supply chain attack artifactsthreats

Problem

Prevalence in NuGet community

Next steps

SQ30109Detected presence of malicious files through analyst-vetted file reputation.Causes risk: analyst-vetted malware foundthreats

Problem

Prevalence in NuGet community

Next steps

TH30103Detected presence of software components that were removed from the public package repository.Causes risk: components prone to hijackinghunting

Problem

Prevalence in NuGet community

Next steps

SQ14160Detected Windows executable files that embed PDB files whose integrity is verified with an insecure hashing algorithm.Causes risk: outdated toolchains detectedhardening

Problem

Prevalence in NuGet community

Next steps

TH15103Detected presence of files with behaviors commonly used by malicious software.hunting

Problem

Prevalence in NuGet community

Next steps

TH30107Detected presence of software components that are rarely included by other public software packages.hunting

Problem

Prevalence in NuGet community

Next steps

TH30112Detected presence of software components without a declared source code repository.hunting

Problem

Prevalence in NuGet community

Next steps

SQ20119Detected digital signatures that rely on a weak digest algorithm for integrity validation.signatures

Problem

Prevalence in NuGet community

Next steps

SQ34203Detected presence of hardcoded debug databases.Causes risk: debugging symbols foundsecrets

Problem

Prevalence in NuGet community

Next steps

SQ20121Detected digital signatures that have not been performed with an extended validation certificate.signatures

Problem

Prevalence in NuGet community

Next steps

Did you know...

SQ30105Detected presence of known software supply chain attack artifacts.Causes risk: supply chain attack artifactsthreats

Problem

Prevalence in NuGet community

Next steps

SQ30109Detected presence of malicious files through analyst-vetted file reputation.Causes risk: analyst-vetted malware foundthreats

Problem

Prevalence in NuGet community

Next steps

TH30103Detected presence of software components that were removed from the public package repository.Causes risk: components prone to hijackinghunting

Problem

Prevalence in NuGet community

Next steps

SQ14160Detected Windows executable files that embed PDB files whose integrity is verified with an insecure hashing algorithm.Causes risk: outdated toolchains detectedhardening

Problem

Prevalence in NuGet community

Next steps

TH15103Detected presence of files with behaviors commonly used by malicious software.hunting

Problem

Prevalence in NuGet community

Next steps

TH30107Detected presence of software components that are rarely included by other public software packages.hunting

Problem

Prevalence in NuGet community

Next steps

TH30112Detected presence of software components without a declared source code repository.hunting

Problem

Prevalence in NuGet community

Next steps

SQ20119Detected digital signatures that rely on a weak digest algorithm for integrity validation.signatures

Problem

Prevalence in NuGet community

Next steps