In a classic case of typosquatting intended to fool inattentive users, the fake packages featured names that were just slightly different than actual, genuine packages offered by npm. “The package naming was both deliberate and malicious – the intent was to collect useful data from tricked users,” npm explained in a blog post.
According to npm, a user by the handle of “hacktask” published the malicious libraries on July 19, including two that mimicked the popular “cross-env,” which between then were downloaded nearly 700 times before they were removed on Aug. 1. Fortunately, only about 50 of these downloads appear to be genuine installations from real users, while the rest came from registry mirrors that automatically downloaded copies, npm explained.
It was a Swedish npm user who initially alerted npm to the problem, reporting via Twitter that a false cross-env package was engaged in suspicious activity.
“If you downloaded and installed any of these packages, you should immediately revoke and replace any credentials you might have had in your shell environment,” npm advised.
In response to the incident, npm banned the user “hacktask.” Additionally, npm said that its developers are discussing taking various approaches to detecting and preventing future instances of accidental or malicious typosquatting.
“There are programmatic ways to detect this, and we might use them to block publication,” the npm blog post reads. “We’re using the Smyte service [a trust and safety SaaS offering] to detect spam as it is published to the registry, and will be experimenting with using it to detect other kinds of violations of our terms of service.”