Npm maintainers remove malicious packages after typosquatting attempt

Analysts at DevOps security firm JFrog said this week that they found 218 malicious packages targeting the Microsoft Azure npm scope. npm maintainers were quickly notified and the packages were removed, the researchers said.

JFrog’s Andrey Polkovnychenko and Shachar Menashe explained that on Monday, their automated analyzers began alerting them to a set of packages that grew from 50 to 200.

The threat actors used typosquatting – an attack method where threat actors try to trick victims with packages that have the same name as legitimate ones.

“After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure npm scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope,” the two said.

“Currently, the observed malicious payload of these packages were Personally identifiable information stealers. The attacker seemed to target all npm developers that use any of the packages under the @azure scope, with a typosquatting attack. In addition to the @azure scope, a few packages from the following scopes were also targeted – @azure-rest, @azure-tests, @azure-tools and @cadl-lang. Since this set of legitimate packages is downloaded tens of millions of times each week, there is a high chance that some developers will be successfully fooled by the typosquatting attack.”

The people behind the attack sought to obscure the fact that the packages all came from the same author by using randomly generated names to create unique users for each uploaded malicious package.

The two noted that the attacker also sought to specifically go after machines and developers running from internal Microsoft/Azure networks.

“We suspect that this malicious payload was either intended for initial reconnaissance on vulnerable targets (before sending a more substantial payload) or as a bug bounty hunting attempt against Azure users (and possibly Microsoft developers),” the two said, suggesting developers make sure their installed packages are the legitimate ones, by checking that their name starts with the @azure* scope.

Any results that don’t start with an “@azure*” scope may have been affected.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Sean Powers

Sean Powers

is a Senior Supervising Producer for the Click Here podcast. He came to the Recorded Future News from the Scripps Washington Bureau, where he was the lead producer of "Verified," an investigative podcast. Previously, he was in charge of podcasting at Georgia Public Broadcasting in Atlanta, where he helped launch and produced about a dozen shows.