- Take found 60 malicious NPM packages
- Legitimate packages has usurped in malicious software
- He was capable of exfiltrating sensitive data
Socket cybersecurity researchers warned against several malicious packages hosted on NPM, stealing sensitive user data and relaying them to attackers.
In a blog article, Socket said that he had identified 60 packages on NPM, which were downloaded from May 12, using three separate accounts. The packages contained a post-install script that runs during “NPM Install” and exfiltrates host names, internal IP addresses, user domestic directories, current work repertoires, user names and DNS system servers.
The script also checks host names linked to cloud suppliers and inverted DNS channels, to make sure it does not work in a sandbox.
Although theoretically possible, Socket said that the packages did not deliver additional malware or degenerate privileges. In addition, no persistence mechanism has been spotted either.
A new turn on old tips
Apparently, it was a typical typosquat attack.
The names of the packages were similar to others, such as “Flipper-Plugins”, “React-Xterm2” or “Hermes-Insepector-Msggen”. Based on the names, the researchers assumed that the attackers targeted the CI / CD pipelines.
Before being removed from the repository, the packages were downloaded about 3,000 times.
The complete list of 60 malicious packages is on this link. Those who downloaded one of these elements are invited to delete them immediately, then to perform a complete system analysis. They should also run the key identification information and activate 2FA as far as possible.
Socket discovered a separate campaign, also on NPM, and also used the technique of typosquat. This, however, distributes eight malicious packages that can delete files, corrupt data and whole brick systems. They have been present at NPM for about two years, it is said, and during this time, they managed to raise 6,200 downloads.
Platforms such as NPM or Pypi are constantly targeted by cybercriminals that use it to try to compromise software developers working on open source projects.
Via Bleeping Compompute
