Developers: | NPM |
Technology: | Application Development Tools |
Content |
2023:
On February 26, 2023, it became known that an attack on NPM directory users was recorded, as a result of which on February 20, 2023, more than 15 thousand packages were posted in the NPM repository, in the README files of which there were links to phishing sites or referral links, for transitions for which deductions are paid. During the analysis, 190 unique phishing or advertising links covering 31 domains were identified in the packages.
As reported, the names of the packages were chosen to attract the interest of ordinary people, for example, "free-tiktok-followers" "free-xbox-codes," "instagram-followers-free," etc. The calculation was made to fill the list of recent updates with spam packages on the NPM main page. The description of the packages included links promising free giveaways, gifts, game cheats, as well as free services for winding up subscribers and likes on social networks such as TikTok and Instagram. This is not the first such attack; in December, the publication of 144 thousand spam packets was recorded in the NuGet, NPM and PyPi directories.
The contents of the packages were generated automatically using a python-script, which, apparently, due to oversight, was left in the packages and included working accounts data used during the attack. The packages were published under many different accounts using methods that complicate the untangling of traces and the operational of identification problem packages.
In addition to fraudulent actions in the NPM and PyPi repositories, several attempts to publish malicious packages have also been identified:
- In the PyPI repository, 451 malicious packages were found that masqueraded as some popular libraries using typesquoting (assigning similar names that differ in individual characters, for example, vper instead of vyper, bitcoinnlib instead of bitcoinlib, ccryptofeed instead of cryptofeed, ccxt instead of ccxt, cryptocommpare instead of cryptocompare, selium selenium aller, pinster, etc.). The packages included an obfuscated code for stealing cryptocurrency, which determined the presence of crypto wallet identifiers in the clipboard and changed them to the attacker's wallet (it is assumed that when making a payment, the victim will not notice that the wallet number transferred through the clipboard is different). Substitution was carried out by an add-on embedded in the browser, which was performed in the context of each web page viewed.
- A series of malicious HTTP bibliotecs was detected in the PyPI repository. Malicious activity was found in 41 packages whose names were selected using typesquatting methods and resembled popular libraries (aio5, requestst, ulrlib, urllb, libhttps, piphttps, httpxv2, etc.). The filling was stylized as working HTTP libraries or copied the code of existing libraries, and the description provided statements about the advantages and comparisons with legitimate HTTP libraries. Malicious activity was reduced to either downloading malware ON to the system, or collecting and sending confidential data.
- NPM revealed 16 JavaScript packages (speedte, trova, lagra), which, in addition to the declared functionality (bandwidth testing), also contained code for mining cryptocurrency without the user's knowledge.
- NPM has identified 691 malicious packages. Most of the problem packages pretended to be Yandex projects (yandex-logger-sentry, yandex-logger-qloud, yandex-sendsms, etc.) and included code for sending confidential information to external servers. It is assumed that the placed packages tried to achieve the substitution of their own dependency when assembling projects in Yandex (the method of replacing internal dependencies). In the PyPI repository, the same researchers found 49 packets (reqsystem, httpxfaster, aio6, gorilla2, httpsos, pohttp, etc.) with obfuscated malicious code downloading and launching an executable file from an external server[1].
2022
Distribute phishing packets through the repository
On December 15, 2022, it was reported that a campaign to distribute phishing packets was discovered by analysts from Checkmarx and Illustria, who worked together to investigate the incident. According to experts, the packages were downloaded from accounts using a certain naming scheme, had similar descriptions and led to the same cluster of 90 domains, on which more than 65,000 phishing pages were posted. Read more here.
Malicious packages in the repository
On February 24, 2022, it became known that an official repositories NPM 25-library was found harmful JavaScript stealing Discord tokens and environment variables. Libraries use the so-called typesquatting - that is, their names are very similar to the names of legitimate libraries with a slight difference. In particular, they disguise themselves as colors.js, crypto-js, discord.js, marked and noblox.js, according to JFrog.
Attackers use stolen Discord tokens to gain unauthorized access to accounts without having to use a password. Through accounts hacked in this way, they distribute malicious links. Environment variables, such as key pair values, are used to store information related to the programming environment on the developer's computer, including API access tokens, keys for authorization, URL APIs, and account names.
List of malicious libraries:
- node-colors-sync (steals Discord tokens);
- color-self (steals Discord tokens);
- color-self-2 (steals Discord tokens);
- wafer-text (steals environment variables);
- wafer-countdown (steals environment variables);
- wafer-template (steals environment variables);
- wafer-darla (steals environment variables);
- lemaaa (steals Discord tokens);
- adv-discord-utility (steals Discord tokens);
- tools-for-discord (steals Discord tokens);
- mynewpkg (steals environment variables);
- purple-bitch (steals Discord tokens);
- purple-bitchs (steals Discord tokens);
- noblox.js-addons (steals Discord tokens);
- kakakaakaaa11aa (reverse shell);
- markedjs (tool for remote implementation of Python code);
- crypto-standarts (tool for remote implementation of Python code);
- discord-selfbot-tools (steals Discord tokens);
- discord.js-aployscript-v11 (steals Discord tokens);
- discord.js-selfbot-aployscript (steals Discord tokens);
- discord.js-selfbot-aployed (steals Discord tokens);
- discord.js-discord-selfbot-v4 (steals Discord tokens);
- colors-beta (steals Discord tokens);
- vera.js (steals Discord tokens);
- discord-protection (steals Discord tokens).
Two malicious packages, markedjs and crypto-standarts, differ from the rest in that their functionality fully corresponds to the legitimate versions of the marked and crypto-js libraries, but they can also inject additional malicious code. Python[2]