Typosquatting Campaign Exploits npm Registry to Deliver Malicious Payloads

In a concerning development for the open-source ecosystem, threat actors have been observed uploading malicious typosquats of legitimate npm packages, such as typescript-eslint and @types/node, to the npm registry. These counterfeit packages, named typescript_eslinter/eslint and types-node, have accumulated thousands of downloads, exposing developers to security risks including trojans and second-stage payloads.

The Attack Vector

Typosquatting, where attackers create packages with names similar to legitimate ones to trick users, is a well-known technique. However, the sophistication of these recent attacks is noteworthy. According to an analysis by Sonatype's Ax Sharma, the malicious packages were crafted to closely mimic genuine libraries, complete with fake GitHub repositories to enhance their credibility.

Key Observations:

• @typescript_eslinter/eslint: This package points to a counterfeit GitHub repository created on November 29, 2024. It includes a file named prettier.bat, which, despite its .bat extension, is a Windows executable flagged as a trojan and dropper by VirusTotal. The package is designed to drop prettier.bat into a temporary directory and add it to the Windows Startup folder, ensuring it runs upon reboot.
• types-node: This package connects to a Pastebin URL to retrieve scripts that execute a malicious file named npm.exe. This deceptive naming further obfuscates its malicious intent.

Impact on Developers

The high download counts of these packages suggest that some developers have fallen victim to these typosquats. Additionally, there are indications that threat actors have artificially inflated download numbers to make the packages appear trustworthy.

Related Supply Chain Threats

This development follows the discovery of several malicious extensions in the Visual Studio Code (VSCode) Marketplace. Identified by ReversingLabs in late 2024, these extensions targeted the crypto community before expanding to impersonate the Zoom application. Affected extensions included:

• EVM.Blockchain-Toolkit
• ZoomVideoCommunications.Zoom
• Ethereum.SoliditySupport
• VitalikButerin.Solidity-Ethereum

Each of these extensions contained obfuscated JavaScript acting as downloaders for second-stage payloads, with the exact nature of the payloads remaining unknown.

Lessons for the Development Community

The increasing sophistication of supply chain attacks highlights the urgent need for:

1. Enhanced Vigilance: Developers must exercise caution when downloading packages and verify their authenticity through trusted sources.
2. Improved Monitoring: Open-source platforms and registries must strengthen monitoring mechanisms to detect and remove malicious packages promptly.
3. Supply Chain Security Measures: Organizations should adopt tools and practices to mitigate risks from third-party dependencies.

Conclusion

The compromise of open-source repositories and development tools serves as a stark reminder of the evolving tactics of threat actors. As the open-source ecosystem continues to grow, securing the software supply chain must remain a top priority for developers, maintainers, and organizations alike.