npm

On August 1, npm Inc. — the company that runs the biggest JavaScript package repository — removed 38 JavaScript npm packages that were caught stealing environment variables from infected projects.

According to a subsequent investigation by npm's team, on July 19, a person named HackTask uploaded 38 JavaScript libraries on the npm repository.

Attacker typo-squatted on famous project names

The attacker used a technique called "typo-squatting" to register packages with names similar to popular libraries, but containing typos in their names. For example, the attacker registered a malicious package named "mongose" that contained the source of the legitimate Mongoose project plus extra malicious code.

The malicious code in this projects would execute when developers would compile and run their personal JavaScript projects. The code would collect local environment variables and upload them to the attacker's server located at: npm.hacktask.net.

The attack is dangerous because some information such as hard-coded passwords or API access tokens is stored as environment variables.

Issue discovered by Swedish developer

The issue first came to light when Swedish developer Oscar Bolmsten ran across the cross-env npm package.

The developer reported the issue to the npm security team who eventually tracked down the rest of the affected packages and banned HackTask's npm account. Below is the full list of malicious npm packages — with their respective download counts:

babelcli: 42
cross-env.js: 43
crossenv: 679
d3.js: 72
fabric-js: 46
ffmepg: 44
gruntcli: 67
http-proxy.js: 41
jquery.js: 136
mariadb: 92
mongose: 196
mssql-node: 46
mssql.js: 48
mysqljs: 77
node-fabric: 87
node-opencv: 94
node-opensl: 40
node-openssl: 29
node-sqlite: 61
node-tkinter: 39
nodecaffe: 40
nodefabric: 44
nodeffmpeg: 39
nodemailer-js: 40
nodemailer.js: 39
nodemssql: 44
noderequest: 40
nodesass: 66
nodesqlite: 45
opencv.js: 40
openssl.js: 43
proxy.js: 43
shadowsock: 40
smb: 40
sqlite.js: 48
sqliter: 45
sqlserver: 50
tkinter: 45

Developers who used any of these packages within their projects are advised to change any passwords or access tokens they stored in their configurations.

Typo-squatting attacks are also common on Google's Chrome Web Store and Android Play Store, where malicious actors often copy popular Chrome extensions or Android apps, add malicious code, and re-upload the content on the official store with names similar to the originals.

In June 2017, the npm security team forced password resets for a large number of users after a researcher discovered that 13% of all npm packages used weak credentials.

In March 2017, a team of six researchers from the College of Computer and Information Science at Northeastern University discovered that over a third of today's most popular websites use outdated JavaScript libraries that are subject to known and old vulnerabilities.

Image credits: npm, Inc., Bleeping Computer