Hackers seeking developer credentials used typo-squatting to spread malicious code via libraries hosted at the online repository npm. In all, 40 npm packages were found malicious and removed from the Node.js package management registry, according to npm.
Each of the malicious packages were named intentionally to be confused with similar and popular existing npm packages.
“On July 19 a user named HackTask published a number of packages with names very similar to some popular npm packages. We refer to this practice as ‘typo-squatting.’ In the past, it’s been mostly accidental. In a few cases we’ve seen deliberate typo-squatting by authors of libraries that compete with existing packages. This time, the package naming was both deliberate and malicious—the intent was to collect useful data from tricked users,” according to the npm post.
“From this you can see that the real danger came from the crossenv package, which had nearly 700 downloads, with some secondary exposure from the jquery typosquats. But even in that case, most of the downloads come from mirrors requesting copies of the 16 versions of crossenv published. Our estimate is that there were at most 50 real installations of crossenv, probably fewer,” npm said.
Swedish developer Oscar Bolmsten is credited for spotting the malicious code in the crossenv package and notifying npm on Aug. 1 via a tweet.
— Oscar Bolmsten (@o_cee) August 1, 2017
“If you downloaded and installed any of these packages, you should immediately revoke and replace any credentials you might have had in your shell environment,” npm said.
To avoid similar types of attacks, npm said, it is supporting the Lift Security and the Node Security Project and its efforts to do static analysis of public registry packages.
“We’re discussing various approaches to detecting and preventing publication—either accidental or malicious—of packages with names very close to existing packages. There are programmatic ways to detect this, and we might use them to block publication,” according to the npm blog.