The four packages where this malicious code was identified included:
All four packages were developed by the same user (simplelive12) and uploaded on the npm portal in August. Two packages (lodashs, loadyml) were removed by the author shortly after publication, but not before they infected some users.
The remainder packages, electorn and loadyaml, were removed last week, on October 1, by the npm security team following a report from Sonatype, a company that monitors public package repositories as part of its developer security operations (DevSecOps) services.
According to Sonatype security researcher Ax Sharma, the four malicious packages used a technique known as typosquatting to get installs.
All four were misspellings of more popular packages, and they relied on users making mistakes when typing the name of a popular package in order to weasel their way inside someone's codebase.
But once a developer mistakenly included and installed one of the four malicious packages, the malicious code found inside would collect the developer's IP address, country, city, computer username, home directory path, and CPU model information and post this information as a new comment inside the "Issues" section of a GitHub repository.
Sharma said the data wouldn't stay on GitHub for long and would be purged every 24 hours — most likely after being scraped and indexed inside another database.
While we may never know what was the end goal of this campaign, it is very likely that we're looking at a reconnaissance operation.
Information like IP addresses, usernames, and home directory paths can reveal if a user is working from home or a corporate environment. Data like the home directory path and CPU model can also help attackers deploy finely-tuned malware for a specific architecture.
All the attacker would have needed to do was to push a subsequent update to the electorn and loadyaml packages with additional malicious code.
Developers are advised to review project dependencies and see if they accidentally used one of the four.