Malware often attempts to hide activities by obfuscating data, strings and functions in the package source code. This inhibits analysis of the application by masking critical mechanisms the malicious code uses to operate.
The obfuscations are typically trivial to unravel, leveraging common encodings like
base64. While the presence of high entropy, or encoded blocks of data are not indicative of malware generally, nearly all malware will include some encrypted/encoded data blocks.
We identify obfuscated data in the source code of customer dependencies. If the volume of obfuscated blocks exceeds the requisite threshold, we negatively penalize the package score.
Large numbers of obfuscated strings are uncommon in benign software. A package that uses large numbers of obfuscated strings may be attempting to hide malicious behavior from the developer.
Malicious Code, Author
The presence of encrypted/encoded/obfuscated strings is not, by itself, indicative of malicious behavior. It is, however, and interesting data point. Large numbers of obfuscated strings will have a moderate affect on lowering the package score.
The long strings (in blue) likely contain calls to perform some malicious action. These sorts of items are identified by this heuristic.
Updated 7 months ago