Light shone on typo-squatting NMP supply chain attack • The Register


ReversingLabs researchers have uncovered evidence of a widespread software supply chain attack through malicious JavaScript packages scavenged through NPM.

NPM was acquired by Microsoft-owned GitHub in 2020 and has suffered from one or two issues over the years (from permission issues in 2021 to credential issues this year).

The last problem stems from typo-squatting, where an attacker offers malicious packages with similar names (or easy-to-miss misspellings) of real packages. Examples given included a variety riffing on the name ioniconswhich actually (when spelled correctly) is a handy open source set of 1,000 icons for use with web, desktop, iOS, and Android apps.

In the case of ionicons, the malefactors released 18 versions containing malicious form-stealing code; for example, icon-package (according to NPM download statistics) has over 17,000 downloads. Other examples of typosquatting include umbrellaks instead of umbrellajs etc

As for what’s taken, researchers found a feature capable of collecting data from virtually any form element on a page.

The attack appears hopelessly coordinated: ReversingLabs noted that the malicious package was released from December 2021, and the unnamed gang behind it appears to have since moved on to other NPM packages.

Combined with typo-squatting, bad actors have attempted to conceal malicious code that hides in packages using an obfuscator. The JavaScript Obfuscator tool is designed to protect code against reverse engineering and tampering. Malefactors started using it to disguise JavaScript for more nefarious purposes. As such, engineers took its use as an indicator that a package might warrant further investigation.

ReversingLabs has already reported its findings to NPM and The register asked package slinger and its parent, GitHub, what could be done against the attack. The two have yet to respond.

As with too many attacks, it seems to depend on users not being completely clear about what they are downloading.

In its blog post on the subject, ReversingLabs noted that: “The decentralized and modular nature of application development means that applications and services are only as strong as their least secure component.

“The success of this attack – with more than two dozen malicious modules available for download from a popular package repository, and one of them with 17,000 downloads within a few weeks – underscores the freewheeling nature of the development of applications and low barriers to malware or even vulnerable code entering sensitive applications and computing environments.” ®


Comments are closed.