DevSecOps, Third-party code, Malware

Typosquatting campaign on NPM platform leverages open-source tools

Warning icon on a digital LCD display with reflection.

A new malicious supply chain attack affecting the NPM platform has been discovered that underscores the need for development teams to sharpen their tools for detecting risks from open source packages.

In a blog post Oct. 4, ReversingLabs researchers said the supply chain attack first appeared as a typosquatting campaign in August. They said it pushed a malicious package, node-hide-console-windows, which downloaded a Discord bot that facilitated the planting of an open source rootkit, r77.

The ReversingLabs researchers said this was the first time they had discovered a malicious open-source package delivering rootkit functionality, which suggests that open-source projects may increasingly be seen as a way to distribute malware. 

As with many previous campaigns targeting the NPM repository, the researchers said this latest attack relies heavily on typosquatting, in which cybercriminals stand up malicious packages with names that closely resemble legitimate and widely used open-source modules. 

In this case, the malicious package, named "node-hide-console-windows," mimics the legitimate NPM package node-hide-console-window, which developers use to toggle an application’s console window visibility. These two packages are nearly identical, with only the letter “s” distinguishing the malicious package from the legitimate one

What makes this so dangerous is that all of the projects used in this campaign were well-documented, open-source malware posted to major platforms like GitHub supposedly for training purposes. The researchers point out that the entire campaign was fashioned from components that are freely and publicly available online.

“Such availability makes supply chain attacks — once the province of well-resourced and sophisticated, nation-state or cybercriminal groups — accessible to low-skill malicious actors and script kiddies,” wrote the researchers. “For development organizations of all kinds, that’s even worse news than a slick, targeted and covert campaign like the one targeting 3CX or SolarWinds. That’s because it shows that the supply chain attack door is now open to low-stakes actors, who may fool incautious developers and infiltrate  development pipelines in ways that reverberate far and wide.”

Unfortunately, attacking open-source packages has become more common, said Zane Bond, head of product at Keeper Security. Bond said open-source packages are the underpinnings of many enterprise software systems that are distributed globally, and one reason supply chain security has become a priority in recent years.

“Cybersecurity technologies protecting these environments must cover every user, on every device, from every location,” said Bond. “Data shows the human element is far more difficult to protect, and often, the most error-prone element of the attack chain. Therefore, organizations should focus on implementing modern, elegant and pervasive cybersecurity solutions that seamlessly integrate with identity solutions to provide enterprisewide visibility, security, reporting and control.”

John Bambenek, principal threat hunter at Netenrich, added that modules via NPM are installed from the command line which means accidental typos can happen. In this case, Bambenek said instead of the expected library they get DiscordRAT, an open source tool, that also can install r77, an open source rootkit.

“The use of open-source malware also is interesting because libraries and other tools pulling content from GitHub is normal behavior and would be overlooked,” said Bambenek. “Some previous incidents with r77 involved installing and hiding cryptominers on target machines. Teams need to keep a strong and accurate library of what packages are installed so they can quickly go back and remove libraries that have been compromised or malicious typosquatted libraries because that's a manual process.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.