-
The purpose of this tool is to run a given set of
YARA
rules against the givennode_module
folder. -
With this approach, We can define
YARA
rules to identify suspicious scripts which are injected into node packages. -
Mainly inspired by these articles.
-
This package can be added to the
CI/CD
pipeline as mentioned below (CI/CD integration).
- Docker
- Docker Compose
- Makefile
- Clone this repo
git clone https://github.com/rpgeeganage/audit-node-modules-with-yara.git
- Execute audit operation
make NODE_MODULE_FOLDER_TO_AUDIT=<path to node_module> run
make NODE_MODULE_FOLDER_TO_AUDIT=../restful4up/node_modules run
The report is available in artifacts/output.json
.
[
{
"rule": "evil_package_1",
"string_information": [
"0x6:$name: \"name\": \"nodecaffe\",",
"0x1f:$version: \"version\": \"0.0.1\""
]
},
{
"rule": "evil_package_2",
"string_information": [
"0x6:$name: \"name\": \"sqlserver\",",
"0x1f:$version: \"version\": \"4.0.5\""
]
},
{
"rule": "evil_package_3",
"string_information": [
"0x1d:$scripts: \"scripts\":",
"0x39:$install: \"mkdir -p ~/Desktop/sploit && touch ~/Desktop/sploit/haxx\""
]
}
]
We can use this tool with CI/CD
as mentioned below.
#!/bin/bash
make NODE_MODULE_FOLDER_TO_AUDIT=../restful4up/node_modules run
suspicious_file_count=$(jq length artifacts/output.json)
exit $suspicious_file_count
When we need to add new YARA
rules, they must be added to the yara_rules
folder with extension .yara
.
(Existing rules are created based on this article. They might be outdated)
Let's create a rule for this possible malicious package.
A possible rule is as below.
rule evil
{
meta:
name = "[email protected]"
strings:
$scripts = /"scripts":/
$install = /"mkdir -p ~\/Desktop\/sploit && touch ~\/Desktop\/sploit\/haxx"/
condition:
all of them
}
Save this rule in yara_rules
folder as evil.yara
, and good to go