Four Malicious Packages In The NPM Repository With Names Similar To Popular Packages Were Phoning User Data Home

From LinuxReviews
Jump to navigationJump to search
Spying-icon.png

Be careful what you npm install. Four packages in the NPM repository, published by a single author, where caught sending device fingerprint information, IP and geo-location data to a public GitHub page upon installation. All of them used package names similar to popular and widely used NPM packages.

 Original story by opennet.ru. Originally published 2020-10-05.
English translation by linuxreviews.org 2020-10-06.
This work is licensed under the Creative Commons Attribution-ShareAlike.

Malware-bug-bigger.jpg
Some image we made with some harmless JavaScript and a ladybug. People who don't know much about computers will think it's relevant to a news story about malware.

Typosquatting is a popular technique where you name your malicious thing, in this case NPM packages, something very similar to what a lot of people type. A lot of people npm install electron to it makes sense to name your evil thing electorn.

Four packages in the NPM repository were caught with a pre-installation script that sent the installing users login name, CPU model, IP address, and home directory back to a publicly available GitHub page. The packages in question were electorn (255 downloads), lodashs (78 downloads), loadyaml (48 downloads), and loadyml (37 downloads).

The malicious packages where published to NPM between August 17th and August the 24th. The typosquatting trick fooled more than 400 users into downloading and installing these packages before the software analysis company Sonatype detected it using their automated tools.

The attackers' motivations remain unknown. There are a few possibilities: This may have been a simple harmless experiment done to see how many people fall for these kinds of typosquatting attacks. That the scripts only collected a limited amount of user and posted it to a public GitHub page points in that direction. It is also possible that this was the first step in a more sophisticated attack using several stages: The attacker could have intended to release updated versions of those packages with more dangerous functionality, backdoors and even root-kits.

These NPM packages were available for more than a month before they were discovered and removed. Be careful what you type when you npm install.

0.00
(0 votes)

Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.