Security News > 2022 > March > Over 200 Malicious NPM Packages Caught Targeting Azure Developers

A new large scale supply chain attack has been observed targeting Azure developers with no less than 218 malicious NPM packages with the goal of stealing personal identifiable information.

The entire set of malicious packages was disclosed to the NPM maintainers roughly two days after they were published, leading to their quick removal, but not before each of the packages were downloaded around 50 times on average.

The attack refers to what's called typosquatting, which takes place when bad actors push rogue packages with names mimicking legitimate libraries to a public software registry such as NPM or PyPI with the hope of tricking users into installing them.

Not only did the attack leverage a unique username to upload every single package to the repository to avoid raising suspicion, the malware-laced libraries also featured high version numbers, indicating an attempt to carry out a dependency confusion attack.

"Due to the meteoric rise of supply chain attacks, especially through the NPM and PyPI package repositories, it seems that more scrutiny and mitigations should be added," the researchers said.

Adding a CAPTCHA mechanism on npm user creation would not allow attackers to easily create an arbitrary amount of users from which malicious packages could be uploaded, making attack identification easier."

News URL

https://thehackernews.com/2022/03/over-200-malicious-npm-packages-caught.html