Hackers are targeting well-known open-source node package manager (NPM) registries in a massive attack involving malicious packages. The attack, discovered by supply chain security specialists at Phylum, has so far detected 287 malicious packages. The hackers use a technique called typosquatting, where they use package names similar to legitimate ones to trick developers into downloading malicious packages.
The aim is to infect the systems of developers who rely on these registries for their code. To hide their malicious intent, the packages use a novel mechanism to obscure the IP address from which they receive malware payloads. Instead of an IP address, the malicious code contacts an Ethereum smart contract, which retrieves a string or IP address with a specific contact address on the Ethereum main network.
When installed, the malicious packages often masquerade as Vercel packages. They load themselves with each reboot, connect to the IP address from the Ethereum contract, and then execute several requests to retrieve the remaining JavaScript files.
Hackers use typosquatting on npm
The system information from the affected system, including data about the processor, GPU, amount of memory, OS version, and username, is sent back to the same server from which it retrieves the files. Phylum’s specialists were able to reconstruct the attack path because Ethereum keeps an immutable history of all values it has seen. This allowed security specialists to recover all the IP addresses used by the hackers for this type of attack.
To counter the attack, especially the typosquatting variety, Phylum advises developers to always check package names carefully for typos. The experts also published a list of all the names, IP addresses, and cryptographic hashes used in this malware campaign. In related news, other hacker groups continue to exploit various vulnerabilities.
For instance, the Lazarus hackers have found another entry into the Windows kernel, and Russian state hackers have been attacking European companies via Teams. As a preventive measure, developers and organizations must stay vigilant and regularly review security advisories, especially when dealing with open-source platforms and packages.
