In a blog post, JFrog researchers identified hundreds of malicious packages designed to steal personal identifiable information (PII) in a typosquatting attack.
The researchers said in addition to @azure, a few other scopes were targeted: @azure-rest, @azure-tests, @azure-tools, and @cadl-lang. Because this set of legitimate packages gets downloaded tens of millions of times a week, the researchers said there’s a high chance that some developers will be fooled by this typosquatting attack.
Threat actors are attacking every aspect of the code supply chain, from the dependencies we bring into our code to our code servers and the secrets in source code, said Casey Bisson, head of product at BluBracket. Bisson said this attack appears to have targeted developers to extract PII and other information that might get used in escalated, more targeted attacks later.
“They didn’t need to deploy the attack to production to be successful, it simply needed to run on a developer’s machine,” Bisson said. “Early, often, and automated scanning of code and code servers are critical to protecting the entire supply chain from the code we bring in, through development, and all the way to deploy.”
Jason Hicks, field CISO and cybersecurity executive advisor at Coalfire, added that depending on how much control the maintainers of the repository have, the likelihood of a successful attack varies. Hicks said in many cases, packages are signed and only known members of a development team can perform this function. In npm’s case, and many others, Hicks said end users can offer up modules, and the vetting of these modules from a security perspective will vary by the package manager.
“In many cases these are volunteer efforts, so the level of resources available to perform security vetting of modules is not very high,” Hicks said. “We’ve seen the same kind of issues with apps submitted to Apple and Google’s app stores. Even with their significant resources dedicated to vetting apps, sometimes bad one’s make it in for a limited amount of time. Based on the nature of the attack, it’s more likely to affect new users of npm, but even experienced developers could be affected if they fail to pay close attention to the name of a specific package they are installing. Given how quickly the maintainers took down the malicious content, the overall impact to the community should be limited.”