Hundreds more packages found in malicious npm 'factory'

Over 600 malicious packages were published in only five days.
Written by Charlie Osborne, Contributing Writer

Researchers continue to investigate a wave of malicious npm packages, with the published tally now reaching over 700. 

Last week, JFrog researchers disclosed the scheme in which an unknown threat actor had published at least 200 malicious Node Package Manager (npm) packages. The team said that the repositories were first detected on March 21 and grew rapidly, with each npm package deliberately named to mimic legitimate software. 

An automated script targeted scopes used by Microsoft Azure developers, including @azure, @azure-rest, @azure-tests, and more, in the npm software registry. 

On Monday, Checkmarx researchers Aviad Gershon and Jossef Harush said the Supply Chain Security (SCS) team has also been tracking these activities and have recorded over 600 malicious packages published over five days, bringing the total to over 700. 

To try and keep the attacks under the radar, the miscreant responsible has been using unique user accounts. 

"This is uncommon for the automated attacks we see; usually, attackers create a single user and burst their attacks over it," Checkmarx says. "From this behavior, we can conclude that the attacker built an automation process from end to end, including registering users and passing the OTP challenges."

According to Checkmarx, the attacker's "factory" is developing malicious npm packages relying on type dependency confusion to dupe developers and steal their data successfully.

As previously noted by JFrog, the attack method relies on typosquatting and names that mimic trustworthy packages, often removing the "scope" part of a package name to look legitimate. 

The command-and-control (C2) server used to manage the overall infrastructure of the attack wave, "rt11[.]ml," is also the recipient address for the stolen information to be sent. The C2 appears to be running Interactsh, an open source tool written in the Go programming language for data extraction. 

Checkmarx set up its own domain and server, complete with an Interactsh client, to better understand the attacker's method. A script was then written that opens NPM accounts upon request, using the web testing software SeleniumLibrary. The script can randomly generate usernames and email addresses under the test domain and automatically initiates the sign-up process. 

This is where Interactsh comes in. To bypass the One-Time Password (OTP) verification check used by NPM, Interactsh automatically extracts the OTP and sends it back to the sign-up form, allowing the account creation request to succeed. 

The team then adhered to the attacker's method by creating a template npm package and a script able to communicate with NPM utilities in the 'login' and 'publish' stages. 

"It is worth mentioning that once the user account is open, it is possible to configure it in a way that does not require OTP in order to publish a package," the researchers said. "This could be done using an authentication token and configuring it to work without 2FA. We presume that this is the way attackers who published bursts of malicious packages were able to automate their process without setting up the described mechanism."

Checkmarx, as well as JFrog, have reported the malicious packages to the NPM security team. In addition, the company providing the C2 server has been notified. 

"By distributing the packages across multiple usernames, the attacker makes it harder for defenders to take them all down with "one stroke," Checkmarx noted. "By that, of course, making the chances of infection higher. Just to make it clear, the building blocks required for creating single (OTP verified) user[s] per package is no trivial task."

In February, JFrog found 25 malicious npm packages containing Discord token stealers. Many of these packages mimicked colors.js, open source software for using colored text on node.js -- before its creator sabotaged the package. 

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards