-
The purpose of this tool is to run a given set of
YARArules against the givennode_modulefolder. -
With this approach, We can define
YARArules to identify suspicious scripts which are injected into node packages. -
Mainly inspired by these articles.
-
This package can be added to the
CI/CDpipeline as mentioned below (CI/CD integration).
- Docker
- Docker Compose
- Makefile
- Clone this repo
git clone https://github.com/rpgeeganage/audit-node-modules-with-yara.git- Execute audit operation
make NODE_MODULE_FOLDER_TO_AUDIT=<path to node_module> runmake NODE_MODULE_FOLDER_TO_AUDIT=../restful4up/node_modules runThe report is available in artifacts/output.json.
[
{
"rule": "evil_package_1",
"string_information": [
"0x6:$name: \"name\": \"nodecaffe\",",
"0x1f:$version: \"version\": \"0.0.1\""
]
},
{
"rule": "evil_package_2",
"string_information": [
"0x6:$name: \"name\": \"sqlserver\",",
"0x1f:$version: \"version\": \"4.0.5\""
]
},
{
"rule": "evil_package_3",
"string_information": [
"0x1d:$scripts: \"scripts\":",
"0x39:$install: \"mkdir -p ~/Desktop/sploit && touch ~/Desktop/sploit/haxx\""
]
}
]We can use this tool with CI/CD as mentioned below.
#!/bin/bash
make NODE_MODULE_FOLDER_TO_AUDIT=../restful4up/node_modules run
suspicious_file_count=$(jq length artifacts/output.json)
exit $suspicious_file_countWhen we need to add new YARA rules, they must be added to the yara_rules folder with extension .yara.
(Existing rules are created based on this article. They might be outdated)
Let's create a rule for this possible malicious package.
A possible rule is as below.
rule evil
{
meta:
name = "evil@0.0.1"
strings:
$scripts = /"scripts":/
$install = /"mkdir -p ~\/Desktop\/sploit && touch ~\/Desktop\/sploit\/haxx"/
condition:
all of them
}Save this rule in yara_rules folder as evil.yara, and good to go