New research shows how typosquatting doesn’t just apply to web domains

Malicious NPM packages broadcast sensitive user data online

Security researchers discovered two malicious NPM packages that, if unwittingly downloaded by developers, published users’ IP addresses, usernames, and device fingerprint data online.

The nefarious open source components, which were found on the NPM downloads repository, had names that closely resembled those of legitimate packages, DevOps automation specialist Sonatype revealed last week.

Developers who accidentally mistyped the names of the corresponding, benign packages – typing ‘electorn’ instead of the legitimate ‘electron’, for instance – might then have unknowingly downloaded a typosquatting impersonator instead.

Once installed, ‘electorn’ and ‘loadyaml’ collected, then published, sensitive user data to a public GitHub page.


RELATED Dark web typosquatters raking in a fortune


Sonatype told The Daily Swig that NPM has removed both packages from its repository, and GitHub has taken down the associated GitHub page, following the publication of its findings.

An additional pair of malicious components (‘lodashs’ and ‘loadyml’) were removed by the author – ‘simplelive12’, who planted all four packages – “before these could be detected or flagged”.

As of September 30, when the research was published, the four packages had together been downloaded more than 400 times, with ‘electorn’ notching 255 downloads, and ‘loadyaml’ 48.

Malicious mechanisms

Both ‘electorn’ and ‘loadyaml’ comprised an index.js file that served as “a mere placeholder with innocuous skeleton code”, and a package.json file that purported to be “an electron wrapper offering some kind of auto-update functionality”, said Sonatype security researcher, Ax Sharma.

The ruse was given additional credibility by the fact that the legitimate electron package was pulled (albeit not actually used) as a dependency.

The malware disguised API endpoints and URLs as base64-encoded strings.

“Because ‘preinstall’ scripts are executed before the installation begins,” the researchers surmised that simplelive12 “was relying on a user mistyping ‘NPM install electron’ as ‘NPM install electorn’,” said Sharma.


INTERVIEW Sonatype’s Brian Fox on open source security and ‘drama-free’ DevSecOps


An update.js file collected “the logged in user’s username, home directory path, and CPU model information”, while a fetchIPInfo function exfiltrated “the user’s IP address and looks up the corresponding city and country”.

The data was then uploaded to a public GitHub page as “comments”, which were deleted after 24 hours, by an update() function.

“It is not entirely clear how this data is being processed and why is it removed every 24 hours from the public page,” said Sharma.

Disclosure timeline

The malicious packages were published on NPM between August 17-24 and the illegitimately collected data started appearing on GitHub on August 25.

Sonatype said the components were flagged as suspicious on August 18 by Sonatype’s malicious code detection bots, which, said Sharma, “use machine learning and artificial intelligence to identify suspicious code commits, update signals, and developer patterns”.

The research was published, and GitHub and NPM notified of the problem, on September 30.

Swimming upstream

Sonatype recently reported a 430% year-on-year increase in “next-generation” software supply chain attacks. This makes it “virtually impossible to manually chase and keep track of such components,” said Sharma.

These attacks “are far more sinister because bad actors are no longer waiting for public vulnerability disclosures,” he added. “Instead, they are taking the initiative and actively injecting malicious code into open source projects that feed the global supply chain.”


YOU MIGHT ALSO LIKE Sharkcop Chrome extension uses machine learning to detect phishing URLs