NPM users warned dozens of malignant packages aimed at stealing host and network data
- Advertisement -
Related Posts
- Advertisement -
- Socket found 60 malignant NPM packages
- The malware -expensive legitimate packages
- It was able to exfil sensitive data
CyberSecurity Researchers Socket has warned of several malignant packages hosted on NPM, steal sensitive user data and pass on to the attackers.
In a blog post, Socket said that it identified 60 packages on NPM, which were uploaded from 12 May, using three separate accounts. The packages contain a post-install script that is performed during ‘NPM Instally’ and exfils host names, internal IP addresses, house folders, current workbooks, user names and System DNS servers.
The script also checks host names with regard to cloud providers and inverted DNS strings, to ensure that it is not running in a sandbox.
Although theoretically possible, Socket said that the packages did not deliver extra malwareOr escalate privileges. Also, no persistence mechanisms were also seen.
A new twist on old tricks
Apparently this was a typical typoess attack.
The names of the packages were comparable to other, legitimate ones, such as “Flipper plugins”, “React-Xterm2” or “Hermes-Inspector-Msgen”. Based on the names, the researchers suspected that the attackers had focused on CI/CD pipelines.
Before they were removed from the repository, the packages were downloaded about 3000 times.
The full list of the 60 malignant packages can be found This link. Those who have downloaded one of these are advised to remove them immediately and then perform a full system scan. They also have to rotate important references and, where possible, activate 2FA.
Socket discovered a separate campaign, also on NPM, and also used the typosquat technique. However, this distributes eight malignant packages that can remove files, corrupt data and entire systems. They have been present at NPM for about two years, it was said, and during this time they succeeded in collecting 6,200 downloads.
Platforms such as NPM or PYPI are constantly the target of cyber criminals who use it to try to compromise software developers who work on open-source projects.
Maybe you like it too
- Advertisement -
