Security researchers at Sonatype have discovered four npm packages containing malicious code that collected the user’s IP address, geolocation and device hardware data and uploaded the info to a public GitHub page.
The four vulnerable npm packages include electorn, loadyaml, lodashs, and loadyml. All four packages were published by the same user “simplelive12” and have now been removed, with the first two having been taken down by the npm team as of October 1, 2020. The other two packages were unpublished by the author themselves.
The four packages uncovered by Sonatype had similar names to the legitimate software, with the attacker relying on a technique known as typosquatting. That means that if the user didn’t pay enough attention and typed the wrong letter, they would download the fake package.
“The two packages representing next-generation software supply chain attacks rely on typosquatting - an attack that impersonates legitimate packages and makes them available for unsuspecting developers to download. Typosquatting packages prey on a developer or unsuspecting user to make a minor typographical error which will trick them into installing the malicious package within their environment instead of the one they had originally intended to download. For example, the developer requests the “electron” package but unintentionally spells it “electorn”,” the researchers explained.
Once the user downloaded and installed a malicious package, it would collect various data, such as the developer's IP address, country, city, computer username, home directory path, and CPU model information and publish this information as a new comment inside the "Issues" section of a GitHub repository.
The researchers said that the data would not stay on repository for long - all information older than 24 hours was deleted. At the moment, the purpose of this campaign is not clear, but it is possible that attackers’ end goal might be reconnaissance.