The attacker used a technique called "typo-squatting" to register packages with names similar to popular libraries, but containing typos in their names. For example, the attacker registered a malicious package named "mongose" that contained the source of the legitimate Mongoose project plus extra malicious code.
The attack is dangerous because some information such as hard-coded passwords or API access tokens is stored as environment variables.
The issue first came to light when Swedish developer Oscar Bolmsten ran across the cross-env npm package.
The developer reported the issue to the npm security team who eventually tracked down the rest of the affected packages and banned HackTask's npm account. Below is the full list of malicious npm packages — with their respective download counts:
babelcli: 42 cross-env.js: 43 crossenv: 679 d3.js: 72 fabric-js: 46 ffmepg: 44 gruntcli: 67 http-proxy.js: 41 jquery.js: 136 mariadb: 92 mongose: 196 mssql-node: 46 mssql.js: 48 mysqljs: 77 node-fabric: 87 node-opencv: 94 node-opensl: 40 node-openssl: 29 node-sqlite: 61 node-tkinter: 39 nodecaffe: 40 nodefabric: 44 nodeffmpeg: 39 nodemailer-js: 40 nodemailer.js: 39 nodemssql: 44 noderequest: 40 nodesass: 66 nodesqlite: 45 opencv.js: 40 openssl.js: 43 proxy.js: 43 shadowsock: 40 smb: 40 sqlite.js: 48 sqliter: 45 sqlserver: 50 tkinter: 45
Developers who used any of these packages within their projects are advised to change any passwords or access tokens they stored in their configurations.
Typo-squatting attacks are also common on Google's Chrome Web Store and Android Play Store, where malicious actors often copy popular Chrome extensions or Android apps, add malicious code, and re-upload the content on the official store with names similar to the originals.
In June 2017, the npm security team forced password resets for a large number of users after a researcher discovered that 13% of all npm packages used weak credentials.
Image credits: npm, Inc., Bleeping Computer