NPM users warned dozens of malicious packages aim to steal host and network data
- Socket found 60 malicious NPM packages
- The malware spoofed legitimate packages
- It was capable of exfiltrating sensitive data
Cybersecurity researchers Socket have warned of multiple malicious packages hosted on NPM, stealing sensitive user data and relaying it to the attackers.
In a blog post, Socket said it identified 60 packages on NPM, which were uploaded from May 12 onward, using three separate accounts. The packages contained a post-install script that runs during ‘npm install’ and exfiltrates hostnames, internal IP addresses, user home directories, current working directories, usernames, and system DNS servers.
The script also checks for hostnames related to cloud providers, and reverse DNS strings, to make sure it’s not running in a sandbox.
While theoretically possible, Socket said the packages did not deliver additional malware, or escalate privileges. Also, no persistence mechanisms were spotted, either.
A new spin on old tricks
Apparently, this was a typical typosquatting attack.
The names of the packages were similar to other, legitimate ones, such as “flipper-plugins”, “react-xterm2”, or “hermes-inspector-msggen”. Based on the names, the researchers surmised that the attackers targeted CI/CD pipelines.
Before being pulled from the repository, the packages were downloaded roughly 3,000 times.
The complete list of the 60 malicious packages can be found on this link. Those who have downloaded any of these are advised to remove them immediately and then run a full system scan. They should also rotate key credentials and activate 2FA where possible.
Socket discovered a separate campaign, also on NPM, and also employing the typosquatting technique. This one, however, distributes eight malicious packages that can delete files, corrupt data, and brick entire systems. They’ve been present on NPM for roughly two years, it was said, and during this time, they managed to amass 6,200 downloads.
Platforms such as NPM or PyPI are constantly targeted by cybercriminals who use it to try and compromise software developers working on open-source projects.
Via BleepingComputer
You might also like
Socket found 60 malicious NPM packages The malware spoofed legitimate packages It was capable of exfiltrating sensitive data Cybersecurity researchers Socket have warned of multiple malicious packages hosted on NPM, stealing sensitive user data and relaying it to the attackers. In a blog post, Socket said it identified 60 packages…
