Malicious modules found in the NPM library were downloaded thousands of times
The researchers described it as a “coordinated supply chain attack.”
“Although the full extent of this attack is not yet known, the malicious packages we discovered are likely used by hundreds, if not thousands, of downstream mobile and desktop applications as well as websites,” the report said. “In one case, a malicious package had been downloaded more than 17,000 times.”
Attackers rely on typos and name their packages with names similar to – or common spelling mistakes in – legitimate packages. Among those imitated are high-traffic modules such as umbrellas (the fake module is called umbrellas) and packages published by ionisk.io.
Similarities between the domains used to filter out data indicate that the various modules in this campaign are under the control of a single player, the report adds.
NPM is one of a number of open source libraries with software packages used by developers in their applications. Others are PyPI, Ruby and NuGet.
ReversingLabs did this with the suspicious modules it found and discovered that everyone collects form data using jQuery Ajax features and sends them to various domains controlled by malicious authors.
Not only are the names of malicious packages similar to legitimate packages, the websites the packages link to are in some cases well-made copies of genuine websites. This also wonders those who download the packages. For example, this is the fake Ionic page that links to one of the malicious packages discovered by ReversingLabs …
… and this is the real website.
“This attack marks a significant escalation in software supply chain attacks,” the report said. “Malicious code gathered in the NPM modules runs in an unknown number of mobile and desktop applications and websites, and harvests countless amounts of user data.
“The NPM modules our team identified have been downloaded more than 27,000 times in total. Since very few development organizations have the ability to detect malicious code in open source libraries and modules, the attacks persisted for several months before coming to our attention. Although a few of the named packages have been removed from NPM, most are still available for download at the time of this report. “