Four Malicious Packages In The NPM Repository With Names Similar To Popular Packages Were Phoning User Data Home
Be careful what you
npm install. Four packages in the NPM repository, published by a single author, where caught sending device fingerprint information, IP and geo-location data to a public GitHub page upon installation. All of them used package names similar to popular and widely used NPM packages.
Typosquatting is a popular technique where you name your malicious thing, in this case NPM packages, something very similar to what a lot of people type. A lot of people
npm install electron to it makes sense to name your evil thing
Four packages in the NPM repository were caught with a pre-installation script that sent the installing users login name, CPU model, IP address, and home directory back to a publicly available GitHub page. The packages in question were
electorn (255 downloads),
lodashs (78 downloads),
loadyaml (48 downloads), and
loadyml (37 downloads).
The malicious packages where published to NPM between August 17th and August the 24th. The typosquatting trick fooled more than 400 users into downloading and installing these packages before the software analysis company Sonatype detected it using their automated tools.
The attackers' motivations remain unknown. There are a few possibilities: This may have been a simple harmless experiment done to see how many people fall for these kinds of typosquatting attacks. That the scripts only collected a limited amount of user and posted it to a public GitHub page points in that direction. It is also possible that this was the first step in a more sophisticated attack using several stages: The attacker could have intended to release updated versions of those packages with more dangerous functionality, backdoors and even root-kits.
These NPM packages were available for more than a month before they were discovered and removed. Be careful what you type when you