“Malicious Code Repositories aimed at Hundreds of JavaScript Developers”

"Malicious Code Repositories aimed at Hundreds of JavaScript Developers"

“Malicious Code Repositories aimed at Hundreds of JavaScript Developers”


# Continuous NPM Supply Chain Assault: Harmful Packages Aim at Developers

In a troubling update for the software development sector, a sustained attack has been discovered that involves the introduction of numerous harmful packages to the open-source Node Package Manager (NPM) repository. These packages are intended to compromise the devices of developers who depend on widely-used code libraries. The ongoing attack was recently highlighted by the security firm Phylum and underscores the escalating risk of supply chain assaults within the software environment.

## The Assault: Typosquatting and Harmful Packages

The perpetrators are employing a strategy known as **typosquatting**, where harmful packages are named similarly to legitimate ones to deceive developers into downloading them. Specifically, these malicious packages imitate popular libraries such as [Puppeteer](https://www.npmjs.com/package/puppeteer) and [Bignum.js](https://www.npmjs.com/package/bignum.js), as well as various libraries associated with cryptocurrency development.

Typosquatting has historically been a method used to attract unwitting users to harmful websites. However, over the last five years, this strategy has increasingly been utilized to mislead developers into installing malicious code libraries. In this instance, the harmful packages aim to infect the developer’s system and could jeopardize the security of their projects.

## Supply Chain Assaults: A Rising Concern

Supply chain assaults, where attackers focus on the software supply chain by infiltrating third-party components, have emerged as a noteworthy issue in recent years. Phylum researchers accentuated the ongoing nature of these attacks, remarking:

> “Out of necessity, malware authors have had to endeavor to find more novel ways to hide intent and to obfuscate remote servers under their control. This is, once again, a persistent reminder that supply chain attacks are alive and well.”

The harmful packages in this initiative utilize a fresh approach to mask the IP addresses of the servers they connect with to gain second-stage malware payloads. Rather than hardcoding the IP address in the first-stage code, the attackers leverage an Ethereum smart contract to dynamically fetch the IP address.

## How the Attack Operates

When a developer installs one of the malicious packages, the code taps into an Ethereum smart contract to obtain a string containing the IP address of the server responsible for delivering the second-stage malware. This technique allows the attackers to sidestep directly embedding the IP address in the code, thereby making it more challenging to detect the malicious operations.

Interestingly, while this technique was likely designed to obscure the source of the second-stage infections, it inadvertently created a record of previous IP addresses utilized by the attackers. The Ethereum blockchain retains an immutable history of all values related to a contract, enabling researchers to trace the past IP addresses employed.

Phylum researchers successfully identified multiple IP addresses used by the attackers, including:

– **hxxp://localhost:3001** (2024-09-23)
– **hxxp://45.125.67[.]172:1228** (2024-09-24)
– **hxxp://45.125.67[.]172:1337** (2024-10-21)
– **hxxp://193.233[.]201.21:3001** (2024-10-22)
– **hxxp://194.53.54[.]188:3001** (2024-10-26)

## The Malicious Payload

Upon installation, the harmful packages manifest as a packed [Vercel](https://en.wikipedia.org/wiki/Vercel) package. The payload operates in memory, configures itself to load with each reboot, and connects to the IP address obtained from the Ethereum smart contract. Following this, it executes several actions, including:

– Retrieving additional JavaScript files from the malicious server.
– Transmitting system information back to the server, encompassing details about the GPU, CPU, memory, username, and operating system version.

This information could be leveraged by attackers to further breach the system or to customize future attacks according to the specific hardware and software setup of the compromised machine.

## Safeguarding Yourself: Recommended Practices for Developers

To prevent becoming a victim of this attack type, developers should implement the following measures:

1. **Verify package names:** Typosquatting exploits minute differences in package names, such as misspellings or extra symbols. Always confirm the name of a package before downloading it, particularly if it is a new or unfamiliar library.

2. **Utilize reliable sources:** Whenever feasible, obtain packages from official repositories or trusted sources. Exercise caution when utilizing third-party libraries that are not well-established or widely recognized.

3. **Keep an eye on dependencies:** Regularly scrutinize your project’s dependencies to ensure that no harmful or compromised packages have been introduced. Tools like [npm audit](https://docs.npmjs.com/cli/v7/commands/npm-audit) can assist in identifying vulnerabilities in your