Recommended reading

NPM users warned dozens of malicious packages aim to steal host and network data

News
By published

There are a few packages crashing systems, too

Cyber security Cloud computing blue abstract digital binary code background. Innovative technology and Artificial intelligence concept. New futuristic system technology symbol. Vector illustration.
(Image credit: Shutterstock / MiniStocker)
  • Socket found 60 malicious NPM packages
  • The malware spoofed legitimate packages
  • It was capable of exfiltrating sensitive data

Cybersecurity researchers Socket have warned of multiple malicious packages hosted on NPM, stealing sensitive user data and relaying it to the attackers.

In a blog post, Socket said it identified 60 packages on NPM, which were uploaded from May 12 onward, using three separate accounts. The packages contained a post-install script that runs during ‘npm install’ and exfiltrates hostnames, internal IP addresses, user home directories, current working directories, usernames, and system DNS servers.

The script also checks for hostnames related to cloud providers, and reverse DNS strings, to make sure it’s not running in a sandbox.

While theoretically possible, Socket said the packages did not deliver additional malware, or escalate privileges. Also, no persistence mechanisms were spotted, either.

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

​Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.

It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.

Preferred partner (What does this mean?)

View Deal

A new spin on old tricks

Apparently, this was a typical typosquatting attack.

The names of the packages were similar to other, legitimate ones, such as “flipper-plugins”, “react-xterm2”, or “hermes-inspector-msggen”. Based on the names, the researchers surmised that the attackers targeted CI/CD pipelines.

Before being pulled from the repository, the packages were downloaded roughly 3,000 times.

The complete list of the 60 malicious packages can be found on this link. Those who have downloaded any of these are advised to remove them immediately and then run a full system scan. They should also rotate key credentials and activate 2FA where possible.

Socket discovered a separate campaign, also on NPM, and also employing the typosquatting technique. This one, however, distributes eight malicious packages that can delete files, corrupt data, and brick entire systems. They’ve been present on NPM for roughly two years, it was said, and during this time, they managed to amass 6,200 downloads.

Platforms such as NPM or PyPI are constantly targeted by cybercriminals who use it to try and compromise software developers working on open-source projects.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.