Ongoing typosquatting campaign impersonates hundreds of popular npm packages
Puppeteer or Pupeter? One of them will snoop around on your machine and steal your credentials
An ongoing typosquatting campaign is targeting developers via hundreds of popular JavaScript libraries, whose weekly downloads number in the tens of millions, to infect systems with info-stealing and snooping malware.
The npm supply chain attack appears to have originated in October, and we've seen three different security shops sound the alarm on this novel typosquatting effort that uses Ethereum smart contracts for command-and-control (C2) operations.
In this case, typosquatting involves a criminal publishing malicious npm packages with names that look like legitimate ones, but are just slightly off by a letter or two – such that a user would mistakenly type "pupeter" or "pupetier" when trying to use the well-known Puppeteer library that has almost four million downloads a week.
Those are two of the malware packages that Phylum documented in its research.
Using blockchain technology for the command infrastructure represents a new approach for npm supply chain attacks, and one that renders traditional C2 blocking ineffective – making this malware distribution campaign more difficult to detect.
Security researchers at Socket and Phylum warned about the campaign on Halloween.
Phylum noted that some unknown miscreant was using typosquat packages masquerading as Puppeteer, Bignum.js and various cryptocurrency libraries – 287 packages in total – to trick developers into installing the malware and giving the attackers persistent access to their machines.
Socket revealed its researchers had spotted a suspicious package named haski – which appeared to be a typosquat targeting husky. Similar to the other malicious packages, haski mimicked the name of the very widely used git hooks library that has more than 12.6 million downloads a week. Haski, however, contained obfuscated code and linked to an Ethereum wallet address.
Over the next 24 hours, the developer-focused security boffins noted their AI scanner detected a sudden wave of malware packages flooding the npm ecosystem, "all using the same attack chain beginning with legitimate-looking package names, similar obfuscation patterns and code structure, and all using the same wallet address.
"Upon deobfuscation, we confirmed these packages were part of a coordinated campaign, each containing a sophisticated multi-stage malware downloader using Ethereum smart contracts for C2 communication," the Socket team wrote.
Socket's threat hunters also spotted "multiple instances" of Russian language usage within the malware codebase. This may indicate the attacker's region – but it "should be interpreted cautiously due to the possibility of deliberate misattribution or code reuse," the team noted.
On Monday, Checkmarx published a similar warning about a typosquatted malicious package – jest-fet-mock – also published in mid-October, which also used blockchain-based command and control infrastructure:
When executed, the malware interacts with a smart contract at address "0xa1b40044EBc2794f207D45143Bd82a1B86156c6b". Specifically, it calls the contract's "getString" method, passing "0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84" as a parameter to retrieve its C2 server address.
By using the blockchain in this way, the attackers gain two key advantages: their infrastructure becomes virtually impossible to take down due to the blockchain's immutable nature, and the decentralized architecture makes it extremely difficult to block these communications.
The malicious package "jest-fet-mock" was designed to impersonate two legitimate JavaScript testing utilities, said Checkmarx.
The first – fetch-mock-jest, with nearly 200,000 weekly downloads – is a wrapper around fetch-mock that enables HTTP request mocking in Jest environments. Meanwhile, Jest-Fetch-Mock has about 1.3 million weekly downloads and provides similar capabilities.
There's a full list of packages linked to the campaign here.
"Given that the legitimate packages are primarily used in development environments where developers typically have elevated system privileges, and are often integrated into CI/CD pipelines, we believe this attack specifically targets development infrastructure through the compromise of testing environments," Checkmarx researcher Yehuda Gelb wrote.
- Cybercrooks spell trouble with typosquatting domains amid CrowdStrike crisis
- LottieFiles supply chain attack exposes users to malicious crypto wallet drainer
- Socket plugs in $40M to strengthen software supply chain
- Hijacked S3 buckets used in attacks on npm packages
Checkmarx's analysis uncovered malware designed for Windows (SHA-256: df67a118cacf68ffe5610e8acddbe38db9fb702b473c941f4ea0320943ef32ba), Linux (SHA-256: 0801b24d2708b3f6195c8156d3661c027d678f5be064906db4fefe74e1a74b17), and macOS (SHA-256: 3f4445eaf22cf236b5aeff5a5c24bf6dbc4c25dc926239b8732b351b09698653).
At the time of writing, none had been flagged by VirusTotal, we're told.
All of the malware performed system reconnaissance after being installed on the victim's machine. And after determining the host operating system, the code constructs a platform-specific URL to download the appropriate payload, steal credentials and establish persistence through platform-specific means – such as AutoStart files in Linux and Launch Agent configuration (~/Library/LaunchAgents/com.user.startup.plist) in macOS, Checkmarx noted.
As with the other two research teams, Checkmarx warned that the campaign is ongoing, and "serves as an important reminder for development teams to implement strict security controls around package management and carefully verify the authenticity of testing utilities, especially those requiring elevated privileges." ®