Security News > 2022 > July > Typo-squatting NPM software supply chain attack uncovered

Researchers at ReversingLabs have uncovered evidence of a widespread software supply chain attack through malicious JavaScript packages picked up via NPM. NPM was acquired by Microsoft-owned GitHub in 2020 and has suffered from the odd issue or two over the years.

The latest problem stems from typo-squatting, where an attacker offers up malicious packages with names similar to real packages.

The attack looks distressingly coordinated: ReversingLabs noted the malicious package was published from December 2021 and the unnamed gang behind it appears to have since moved on to other NPM packages.

Bad actors have attempted to cover up the malicious code lurking within packages using an obfuscator.

ReversingLabs has already reported its findings to NPM and The Register asked the package slinger and its parent, GitHub, what could be done about the attack.

"The success of this attack - with more than two dozen malicious modules available for download on a popular package repository, and one of them with 17,000 downloads in a matter of weeks - underscores the freewheeling nature of application development, and the low barriers to malicious or even vulnerable code entering sensitive applications and IT environments." .

News URL

https://go.theregister.com/feed/www.theregister.com/2022/07/06/npm_supply_chain_attack/