Npm maintainers remove malicious packages after typosquatting attempt
Jonathan Greig March 26, 2022

Npm maintainers remove malicious packages after typosquatting attempt

Npm maintainers remove malicious packages after typosquatting attempt

Analysts at DevOps security firm JFrog said this week that they found 218 malicious packages targeting the Microsoft Azure npm scope. npm maintainers were quickly notified and the packages were removed, the researchers said. 

JFrog’s Andrey Polkovnychenko and Shachar Menashe explained that on Monday, their automated analyzers began alerting them to a set of packages that grew from 50 to 200.

The threat actors used typosquatting – an attack method where threat actors try to trick victims with packages that have the same name as legitimate ones. 

“After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure npm scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope,” the two said.  

“Currently, the observed malicious payload of these packages were Personally identifiable information stealers. The attacker seemed to target all npm developers that use any of the packages under the @azure scope, with a typosquatting attack. In addition to the @azure scope, a few packages from the following scopes were also targeted – @azure-rest, @azure-tests, @azure-tools and @cadl-lang. Since this set of legitimate packages is downloaded tens of millions of times each week, there is a high chance that some developers will be successfully fooled by the typosquatting attack.”

The people behind the attack sought to obscure the fact that the packages all came from the same author by using randomly generated names to create unique users for each uploaded malicious package. 

The two noted that the attacker also sought to specifically go after machines and developers running from internal Microsoft/Azure networks. 

“We suspect that this malicious payload was either intended for initial reconnaissance on vulnerable targets (before sending a more substantial payload) or as a bug bounty hunting attempt against Azure users (and possibly Microsoft developers),” the two said, suggesting developers make sure their installed packages are the legitimate ones, by checking that their name starts with the @azure* scope.

Any results that don’t start with an “@azure*” scope may have been affected. 

JFrog found that there were about 50 downloads per package, meaning none were downloaded in large numbers. 

‘Many developers will be fooled’

Menashe, JFrog Security’s senior director of research, told The Record that developers should use automatic package filtering as part of a secure software curation process. 

“What’s alarming about this attack is this is a package that is downloaded tens of millions of times each week – meaning there is a high chance many developers will be fooled,” Menashe said. 

Experts said typosquatting has traditionally been used in the domain name space to make a website or email look like it’s from a trustworthy source. 

Valtix principal security researcher Davis McCarthy said the fact that typosquatting is seeping into the supply-chain highlights how dependent software is on third-party packages and that it is so widespread that threat actors see it as a viable attack vector.

“It’s common practice to sanitize user-inputs that come into an application, we should be sanitizing what builds the backend,” McCarthy added. 

Other experts noted that is an ongoing issue with several of the various package managers and to some degree even some of the App Stores.

Depending on how much control the maintainers of the repository have, the likelihood of a successful attack varies, according to cybersecurity advisory firm Coalfire’s Jason Hicks. 

“In many cases packages are signed and only known members of a development team are able to perform this function. In npm’s case, and many others, end users are able to offer up modules, and the vetting of these modules from a security perspective will vary by the package manager. 

“In this particular case due to the sheer volume of users npm has, it’s likely the attack was successful on multiple machines. Based on the nature of the attack it’s more likely to affect new users of npm, but even experienced developers could be affected if they fail to pay close attention to the name of a specific package they are installing. Given how quickly the maintainers took down the malicious content the overall impact to the community should be limited.”

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.