Ten Malicious NPM Packages Steal Data Across Operating Systems
Table of Contents
Published: October 26, 2023 | Source: dnsc.ro
security researchers at Socket have uncovered ten malicious packages on the Node Package Manager (npm) designed to steal sensitive data from Windows, Linux, and macOS systems. These packages, downloaded nearly 10,000 times, employ a technique called typosquatting – mimicking the names of popular projects to deceive developers.
The malicious packages masquerade as legitimate tools like TypeScript, discord.js, and react-router-dom. Upon installation, a hidden “postinstall” script activates, presenting users with a deceptive CAPTCHA to appear legitimate. This script then downloads a ample 24MB executable, built using PyInstaller, which is the core of the multiplatform infostealer.
This infostealer aggressively targets passwords,API tokens,and data stored within web browsers and credential managers. The stolen information is then transmitted to a command and control server located at 195[.]133[.]79[.]43.
Despite being reported to npm, the malicious packages remain available as of today. Security experts strongly advise immediate action for anyone suspecting they may have installed these packages: delete the infected packages, rotate all passwords and access tokens, and meticulously verify the source of all packages before installation from public registries.
the growing Threat of Supply Chain Attacks
This incident highlights the increasing risk of supply chain attacks targeting developers. Typosquatting is a common tactic, exploiting human error and the reliance on package managers. The trend of malicious packages appearing on npm and other registries is a growing concern, demanding increased vigilance and robust security practices within the software development lifecycle. The use of PyInstaller to create a large executable is also noteworthy, as it can bypass some security checks.
Frequently Asked Questions About the NPM Infostealer
- What is npm?
- npm (Node Package Manager) is the default package manager for the Node.js runtime surroundings. It allows developers to easily share and reuse code, but can also be a vector for distributing malicious software.
- What is typosquatting and how does it work?
- Typosquatting involves creating packages with names very similar to popular, legitimate packages. developers may accidentally install the malicious package due to a simple typo, believing it to be the correct one.
- Which operating systems are affected by this infostealer?
- this multiplatform infostealer is capable of stealing data from Windows, Linux, and macOS systems, making it a widespread threat.
- What type of data does this infostealer target?
- The infostealer specifically targets passwords, API tokens, and data stored in web browsers and credential managers.
- How can I remove potentially infected packages?
- Instantly delete any suspicious packages from your project. Use npm’s uninstall command (
npm uninstall [package-name]) to remove them. - Why is rotating passwords and tokens vital?
- If you suspect you’ve installed a malicious package, rotating your passwords and API tokens is crucial to prevent the attacker from using compromised credentials.
- How can I prevent future infections?
- Always double-check package names before installing, verify the publisher’s reputation, and consider using tools that scan for malicious code in dependencies.
We hope this information is helpful. If you found this article informative, please share it with your network! We’re always eager to hear your thoughts – feel free to leave a comment below. And if you’d like to stay up-to-date on the latest cybersecurity threats, consider subscribing to our newsletter.
