Home

Awesome

Audit Node Modules With YARA Rules

(New Rules, Feedbacks, PRs are highly appreciated)

Table of content

Purpose

Software Requirements

How to use

  1. Clone this repo
git clone https://github.com/rpgeeganage/audit-node-modules-with-yara.git
  1. Execute audit operation
make NODE_MODULE_FOLDER_TO_AUDIT=<path to node_module> run

e.g:

make NODE_MODULE_FOLDER_TO_AUDIT=../restful4up/node_modules run

Report

The report is available in artifacts/output.json.

A sample report looks as follows

[
 {
  "rule": "evil_package_1",
  "string_information": [
   "0x6:$name: \"name\": \"nodecaffe\",",
   "0x1f:$version: \"version\": \"0.0.1\""
  ]
 },
 {
  "rule": "evil_package_2",
  "string_information": [
   "0x6:$name: \"name\": \"sqlserver\",",
   "0x1f:$version: \"version\": \"4.0.5\""
  ]
 },
 {
  "rule": "evil_package_3",
  "string_information": [
   "0x1d:$scripts: \"scripts\":",
   "0x39:$install: \"mkdir -p ~/Desktop/sploit && touch ~/Desktop/sploit/haxx\""
  ]
 }
]

CI/CD Integration

We can use this tool with CI/CD as mentioned below.

#!/bin/bash
make NODE_MODULE_FOLDER_TO_AUDIT=../restful4up/node_modules run

suspicious_file_count=$(jq length artifacts/output.json)

exit $suspicious_file_count

Adding YARA new rules

When we need to add new YARA rules, they must be added to the yara_rules folder with extension .yara.

(Existing rules are created based on this article. They might be outdated)

Sample YARA rule

Let's create a rule for this possible malicious package.

A possible rule is as below.

rule evil
{
    meta:
        name = "evil@0.0.1"

    strings:
        $scripts = /"scripts":/
        $install = /"mkdir -p ~\/Desktop\/sploit && touch ~\/Desktop\/sploit\/haxx"/

    condition:
        all of them
}

Save this rule in yara_rules folder as evil.yara, and good to go