More than 200 Malicious NPM Packages Target Azure Developers
Reading Time: 2 minutes

Security researchers have discovered more than 200 malicious NPM packages targeting Azure developers with the sole purpose of stealing personally identifiable information.

Andrey Polkovnychenko and Shachar Menashe, researchers at JFrog reported,  “After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure NPM scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope.”

The discovery was made by the NPM maintainer around 2 days after it was published. Later it was removed though each of the packages was downloaded around 50 times on average.

Such types of attacks are known as typosquatting, where the bad actors push rogue packages with names mimicking legitimate libraries to a public software registry such as NPM or PyPI with the hope of tricking users into installing them.

In the case reported by the DevSecOps firm, the bad actors managed to create dozens of malicious counterparts with the same name as their existing @azure scope packages but without the scope name (e.g., @azure/core-tracing vs. core-tracing).

The researchers further added, “The attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package. For example, running npm install core-tracing by mistake, instead of the correct command – npm install @azure/core-tracing.”

The attack managed to leverage a unique username to upload every single package to the repository to avoid raising suspicion. Additionally, they pushed the malware-laced libraries featuring high version numbers (e.g., 99.10.9), this indicates they attempted to carry out a dependency confusion attack.

Developers unknowingly installing one of these packages may execute a reconnaissance payload that’s designed to list directories as well as gather information about the user’s current working directory and IP addresses related to network interfaces and DNS servers, all of which is exfiltrated to a hardcoded remote server.

The researcher further added, “Due to the meteoric rise of supply chain attacks, especially through the NPM and PyPI package repositories, it seems that more scrutiny and mitigations should be added. For example, adding a CAPTCHA mechanism on npm user creation would not allow attackers to easily create an arbitrary amount of users from which malicious packages could be uploaded, making attack identification easier.”

Related Articles:
Lapsus$ Gang Climbing up the Success Ladder with More Victims
New Infinite Loop Bug in OpenSSL May Allow Attackers Crash Remote Servers
Israeli Government Websites Knocked Out by Massive DDoS Attack