Malicious npm Libraries: A Growing Threat
Threat actors have been caught uploading malicious npm libraries that impersonate legitimate packages, such as typescript-eslint and @types/node, racking up thousands of downloads. These counterfeit libraries, named @typescript_eslinter/eslint and types-node, were specifically engineered to deliver trojans and fetch second-stage payloads.
"While typosquatting attacks are not new, the effort put into these libraries to make them appear legitimate is remarkable," noted Sonatype's Ax Sharma in a recent analysis.
He further emphasized, "The high download counts for packages like types-node suggest that some developers have fallen victim to these typosquats. Additionally, threat actors may be artificially inflating download statistics to make their malicious components seem more trustworthy."
The Mechanics of the Malicious Packages
Sonatype's investigation uncovered alarming details:
@typescript_eslinter/eslint:- This package directs users to a fake GitHub repository under the account "typescript-eslinter," created on November 29, 2024.
- It includes a file named
prettier.bat, which disguises itself as a batch script but is actually a Windows executable (.exe) flagged as a trojan by VirusTotal. - The executable is designed to drop itself into the Windows Startup folder, ensuring it runs on every system reboot.
@typescript_eslinter/prettier:- This library impersonates the popular Prettier code formatter but covertly installs the fake
@typescript_eslinter/eslintpackage.
- This library impersonates the popular Prettier code formatter but covertly installs the fake
types-node:- This package contacts a Pastebin URL to download and execute a malicious file, misleadingly named
npm.exe.
- This package contacts a Pastebin URL to download and execute a malicious file, misleadingly named
Broader Implications for Supply Chain Security
The discovery of these malicious npm packages coincides with findings by ReversingLabs, which identified rogue extensions in the Visual Studio Code (VSCode) Marketplace. These extensions, removed in October 2024, targeted both cryptocurrency developers and enterprise tools like Zoom.
Examples of Malicious VSCode Extensions:
- EVM.Blockchain-Toolkit
- VoiceMod.VoiceMod
- ZoomINC.Zoom-Workplace
- Ethereum.SoliditySupport
- EthereumFoundation.Solidity-for-Ethereum-Language
The extensions contained obfuscated JavaScript that acted as a downloader for second-stage payloads, further exposing the risks of compromised software registries.
Lessons for Developers
These incidents underline the importance of vigilance when downloading tools and libraries from open-source platforms:
- Verify the legitimacy of libraries and extensions.
- Monitor for signs of typosquatting or inflated download counts.
- Avoid introducing untrusted dependencies into larger projects.
"The ability to install plugins and extend the functionality of IDEs makes them appealing targets for attackers," said ReversingLabs researcher Lucija Valentić. "Compromising an IDE could serve as a stepping stone for further attacks on an enterprise's development pipeline."
The findings highlight a pressing need to improve supply chain security and enforce stricter vetting processes for third-party tools. Developers must exercise caution to prevent malicious code from infiltrating their projects, potentially leading to widespread damage across the software ecosystem.