Skip to content
TYPOSQUATTING AHEAD

Hundreds of code libraries posted to NPM try to install malware on dev machines

These are not the the developer tools you think they are.

Dan Goodin | 63
Credit: Getty Images
Credit: Getty Images
Story text

An ongoing attack is uploading hundreds of malicious packages to the open source node package manager (NPM) repository in an attempt to infect the devices of developers who rely on code libraries there, researchers said.

The malicious packages have names that are similar to legitimate ones for the Puppeteer and Bignum.js code libraries and for various libraries for working with cryptocurrency. The campaign, which was active at the time this post was going live on Ars, was reported by researchers from the security firm Phylum. The discovery comes on the heels of a similar campaign a few weeks ago targeting developers using forks of the Ethers.js library.

Beware of the supply chain attack

“Out of necessity, malware authors have had to endeavor to find more novel ways to hide intent and to obfuscate remote servers under their control,” Phylum researchers wrote. “This is, once again, a persistent reminder that supply chain attacks are alive and well.”

When installed, the malicious packages use a novel way to conceal the IP address the devices contact to receive malicious second-stage malware payloads. The IP address doesn’t appear in the first-stage code at all. Instead, the code accesses an ethereum smart contract to “fetch a string, in this case an IP address, associated with a specific contract address on the Ethereum mainnet.” Short for main network, a mainnet is the primary blockchain network supporting a cryptocurrency such as ethereum where transactions occur. The ethereum mainnet is explained in more detail here.

The IP address returned by a package Phylum analyzed was: hxxp://193.233.201[.]21:3001.

While the method was likely intended to conceal the source of second-stage infections, it ironically had the effect of leaving a trail of previous addresses the attackers had used in the past. The researchers explained:

An interesting thing about storing this data on the Ethereum blockchain is that Ethereum stores an immutable history of all values it has ever seen. Thus, we can see every IP address this threat actor has ever used.

On 2024-09-23 00:55:23Z it was hxxp://localhost:3001
From 2024-09-24 06:18:11Z it was hxxp://45.125.67[.]172:1228
From 2024-10-21 05:01:35Z it was hxxp://45.125.67[.]172:1337
From 2024-10-22 14:54:23Z it was hxxp://193.233[.]201.21:3001
From 2024-10-26 17:44:23Z it is hxxp://194.53.54[.]188:3001

When installed, the malicious packages come in the form of a packed Vercel package. The payload runs in memory, sets itself to load with each reboot, and connects to the IP address from the ethereum contract. It then “performs a handful of requests to fetch additional Javascript files and then posts system information back to the same requesting server,” the Phylum researchers wrote. “This information includes information about the GPU, CPU, the amount of memory on the machine, username, and OS version.”

Attacks like this one rely on typosquatting, a term for the use of names that closely mimic those of legitimate packages but contain small differences, such as those that might occur if the package was inadvertently misspelled. Typosquatting has long been a tactic for luring people to malicious websites. Over the past five years, typosquatting has been embraced to trick developers into downloading malicious code libraries.

Developers should always double-check names before running downloaded packages. The Phylum blog post provides names, IP addresses, and cryptographic hashes associated with the malicious packages used in this campaign.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
63 Comments