Hackers seeking developer credentials used typo-squatting to spread malicious code via libraries hosted at the online repository npm. In all, 40 npm packages were found malicious and removed from the Node.js package management registry, according to npm.
The attack involved a user named HackTask who uploaded the rogue JavaScript libraries between July 19 and July 31, according to an account of the incident on the npm blog. Npm maintains the Node Package Manager for JavaScript and hosts the “world’s largest software registry,” according to the site.
Each of the malicious packages were named intentionally to be confused with similar and popular existing npm packages.
“On July 19 a user named HackTask published a number of packages with names very similar to some popular npm packages. We refer to this practice as ‘typo-squatting.’ In the past, it’s been mostly accidental. In a few cases we’ve seen deliberate typo-squatting by authors of libraries that compete with existing packages. This time, the package naming was both deliberate and malicious—the intent was to collect useful data from tricked users,” according to the npm post.
The JavaScript packages were designed to steal environmental variables, such as developers’ credentials, from the projects they infected and upload them to the attacker-controlled server npm.hacktask.net. One example of a malicious package was one named “crossenv,” which was meant to be confused with the real one named “cross-env”.
“From this you can see that the real danger came from the crossenv package, which had nearly 700 downloads, with some secondary exposure from the jquery typosquats. But even in that case, most of the downloads come from mirrors requesting copies of the 16 versions of crossenv published. Our estimate is that there were at most 50 real installations of crossenv, probably fewer,” npm said.
Swedish developer Oscar Bolmsten is credited for spotting the malicious code in the crossenv package and notifying npm on Aug. 1 via a tweet.
@kentcdodds Hi Kent, it looks like this npm package is stealing env variables on install, using your cross-env package as bait: pic.twitter.com/REsRG8Exsx
— Oscar B (@o_cee) August 1, 2017
Upon further investigation, npm concluded that a JavaScript Object Notation configuration file used by the crossenv package was running a script that converted the developer credentials into a string that was sent via POST request to npm.hacktask.net.
“If you downloaded and installed any of these packages, you should immediately revoke and replace any credentials you might have had in your shell environment,” npm said.
To avoid similar types of attacks, npm said, it is supporting the Lift Security and the Node Security Project and its efforts to do static analysis of public registry packages.
“We’re discussing various approaches to detecting and preventing publication—either accidental or malicious—of packages with names very close to existing packages. There are programmatic ways to detect this, and we might use them to block publication,” according to the npm blog.