Summary:
Typosquatting has evolved to include impersonating legitimate package authors, as demonstrated by the creation of a malicious npm package named “chalk-node” by a threat actor posing as Sindre Sorhus. This backdoored package exploits trust and aims to exfiltrate sensitive data from unsuspecting developers’ systems. Security tools like Socket’s AI Scanner are essential in identifying and mitigating such supply chain risks.
#Typosquatting #SupplyChainSecurity #MaliciousPackages
Typosquatting has evolved to include impersonating legitimate package authors, as demonstrated by the creation of a malicious npm package named “chalk-node” by a threat actor posing as Sindre Sorhus. This backdoored package exploits trust and aims to exfiltrate sensitive data from unsuspecting developers’ systems. Security tools like Socket’s AI Scanner are essential in identifying and mitigating such supply chain risks.
#Typosquatting #SupplyChainSecurity #MaliciousPackages
Keypoints:
- Threat actor created a typosquatted npm account and package to impersonate Sindre Sorhus.
- The malicious package “chalk-node” was designed to infiltrate developers’ projects.
- Socket’s AI Scanner identified risks associated with the chalk-node package.
- The package includes an obfuscated file, index.esm.js, that accesses the user’s file system.
- Data exfiltration occurs through the misuse of Sentry, sending sensitive information without authorization.
- The code overrides console.log to capture and send logged sensitive data to an external service.
- Socket provides tools to detect and mitigate risks from typosquatting and malicious packages.
- Developers are encouraged to verify package and author names and use security tools for protection.
MITRE Techniques
- Impersonation (T1589): Threat actor mimics legitimate package author to gain trust.
- Data Exfiltration (T1041): Exfiltrates sensitive information from the user’s file system to an external service.
- Obfuscated Files or Information (T1027): Utilizes obfuscation techniques to hide malicious code functionality.
- Command and Control (T1071): Sends exfiltrated data to an external Sentry instance for unauthorized access.
IoC:
- [file name] index.esm.js
- [url] hxxps://[email protected][.]io/4505703197310976
Full Research: https://socket.dev/blog/author-typosquatting-on-npm