An unknown attacker recently uploaded more than 200 malicious npm packages that targeted npm developers looking for Azure tools and installed a malicious package designed to steal personally identifiable information.
The campaign occurred earlier this week, and researchers at JFrog discovered the malicious packages when some of their automated analyzers threw alerts about the packages. Within a couple of days, that set of malicious packages went from about 50 to more than 200. The attacker appeared to be using a script to upload the packages and was using simple typosquatting to create package names that are nearly identical to legitimate Azure npm packages. The attack went after any developer looking for tools in the @Azure scope on the npm registry, counting on them to mistakenly drop the Azure at the beginning of the package name.
“The attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package. For example, running npm install core-tracing by mistake, instead of the correct command – npm install @azure/core-tracing,” a post by Andrey Polkovnychenko and Shachar Menashe of JFrog says.
“In addition to the typosquatting infection method, all of the malicious packages had extremely high version numbers (ex. 99.10.9) which is indicative of a dependency confusion attack. A possible conjecture is that the attacker tried to target developers and machines running from internal Microsoft/Azure networks, in addition to the typosquatting-based targeting of regular npm users. As mentioned, we did not pursue research on this attack vector and as such this is just a conjecture.”
The JFrog researchers identified at least 218 malicious packages that were uploaded by this actor in this short campaign. The researchers notified the npm maintainers of the malicious packages, which the maintainers took down quickly.
The malicious payload in the packages was a simple information stealer that was designed to gather a variety of information about the machine on which it’s installed. Once it’s executed, the payload will record the listings in the C, D, /, and /home directories, the user’s username, the user’s home directory, the current working directory, IP address of the network interfaces, and DNS addresses of the configured servers. The malware then sends the information to a remote server via either HTTP POST or a DNS query.
“Due to the scale of the attack, it is obvious that the attacker used a script to upload the malicious packages. The attacker also tried to hide the fact that all of these malicious packages were uploaded by the same author, by creating a unique user (with a randomly-generated name) per each malicious package uploaded,” Polkovnychenko and Menashe said.
Software supply chain attacks have become one of the major concerns for many organizations, especially those that rely on a broad mix of software from a range of vendors and sources. Verifying the integrity of software packages is a difficult task, something that attackers have taken advantage of in various ways in recent years. The SolarWinds and Kaseya attacks are the most prominent examples, but there have been a number of other smaller-scale supply chain attacks against individual open source projects of late, as well.
The malicious packages uploaded in this campaign did not attract many downloads, which mitigated the potential effects.