A routine scan of the NPM open supply code repository in April turned up a number of packages utilizing a JavaScript obfuscator to cover their true operate.
After additional investigation, analysts with ReversingLabs reported they’ve uncovered a marketing campaign courting again at the least six months that used greater than two dozen malicious NPM modules to steal knowledge from websites and purposes. All collectively, the group discovered that 27,000 situations of the malicious NPM packages had been downloaded.
“Whereas the complete extent of this assault isn’t but identified, the malicious packages we found are probably utilized by a whole lot, if not hundreds, of downstream cell and desktop purposes in addition to web sites,” the ThreatLabs researchers defined in a weblog put up. “In a single case, a malicious bundle had been downloaded greater than 17,000 occasions.”
Assault Depends on Typo-Squatting
The assault depends on so-called typo-squatting, the place menace actors disguise malicious code packages with names very near official ones, together with refined naming variations and customary misspellings, the researchers mentioned.
For example, one of many malicious packages lurking within the NPM repository is called “umbrellaks,” an try and hijack builders searching for the favored doc object mannequin (DOM) framework “umbrellajs,” the ReversingLabs group added.
What makes this provide chain harking back to the SolarWinds assault, the analysts identified, is the truth that the goal is not the developer inadvertently utilizing the malicious code however, fairly, the goal web site or software additional down the software program provide chain.
“This assault marks a major escalation in software program supply-chain assaults,” in line with the ReversingLabs malicious NPM report. “Malicious code bundled inside the NPM modules is working inside an unknown variety of cell and desktop purposes and internet pages, harvesting untold quantities of consumer knowledge.”
A lot of the malicious open supply modules are nonetheless are nonetheless accessible, regardless of the analysts reporting their findings to NPM on July 1, they added. The report accommodates an inventory of affected packages.