Threat actors have been observed downloading malicious typosquats of legitimate npm packages such as typescript-eslint and @types/node, which have garnered thousands of downloads in the package registry.
Counterfeit versions, no @typescript_eslinter/eslint and species-nodedesigned to load a trojan and produce a stage two payload, respectively.
“While typosquatting attacks are hardly new, it’s worth noting the effort nefarious contributors have put into these two libraries to pass them off as legitimate,” Sonatype’s Ax Sharma said in an analysis published Wednesday.
“Furthermore, high download numbers for packages like ‘types-node’ are an indication that some developers may be succumbing to these typosquats and threat actors artificially inflating these numbers to increase credibility of its harmful components”.
Sonatype’s analysis revealed that the npm listing for @typescript_eslinter/eslint points to a fake GitHub repository that was created by an account named “typewriter-eslinter,” which was created on November 29, 2024. This package contains a file named “prettier.bat.”
Another package associated with the same npm/GitHub account is called @typescript_eslinter/prettier. He impersonates a a well-known code formatting tool with the same name, but it’s actually set to install the fake @typescript_eslinter/eslint library.
The malicious library contains code to move “prettier.bat” to a temporary directory and add it to the Windows startup folder so that it runs automatically every time the machine is rebooted.
“However, far from being a ‘batch’ file, the ‘prettier.bat’ file is actually a Windows executable (.exe) file that was previously marked as a Trojan and a dropper on VirusTotal” Sharma said.
On the other hand, the second package, types-node, involves accessing the Pastebin URL and obtaining scripts that are responsible for running a malicious executable with the deceptively named “npm.exe.”
“This case highlights the urgent need for improved supply chain security measures and greater vigilance in monitoring third-party software registry developers,” Sharma said.
This development comes after ReversingLabs discovered several malicious extensions that were initially discovered in the Visual Studio Code (VSCode) marketplace in October 2024, with another package appearing in the npm registry a month later. Package attracts total 399 downloads.
The list of fake VSCode extensions removed from the store is given below –
- EVM.Blockchain-Toolkit
- VoiceMod.VoiceMod
- ZoomVideoCommunications.Zoom
- ZoomINC.Zoom-Workplace
- Ethereum.SoliditySupport
- ZoomWorkspace.Zoom
- ethereumorg.Solidity-Language-for-Ethereum
- VitalikButerin.Solidity-Ethereum
- SolidityFoundation.Solidity-Ethereum
- EthereumFoundation.Solidity-Language-for-Ethereum
- SOLIDNESS. Solidity-Language
- GavinWood.SolidityLang
- EthereumFoundation.Solidity-for-Ethereum-Language
“The campaign started out targeting the crypto community, but by the end of October, the extensions released mostly mimicked the Zoom app,” ReversingLabs researcher Lucia Valentich said. “And each malicious extension published was more sophisticated than the last.”
All extensions as well as the npm package were found to include obfuscated JavaScript code that acts as a loader for the second-stage payload from a remote server. The exact nature of the payload is currently unknown.
The findings reiterate the need to exercise caution when it comes to downloading tools and libraries from open source systems and to avoid introducing malicious code as a dependency in a larger project.
“The ability to install plugins and extend the functionality of IDEs makes them very attractive targets for attackers,” Valentich said. “VSCode extensions are often overlooked as a security risk when installed in an IDE, but an IDE hack can be a landing point to further disrupt the enterprise development cycle.”
