NPM was acquired by Microsoft-owned GitHub in 2020 and has suffered from the odd issue or two over the years (from authorization problems in 2021 to credential problems this year).
The latest problem stems from typo-squatting, where an attacker offers up malicious packages with names similar to (or easy misspellings of) real packages. Examples given included a variety riffing on the name
ionicons, which, in reality (when spelled correctly) is a handy open source set of 1,000 icons for use with web, desktop, iOS, and Android apps.
In the case of
ionicons, the miscreants published 18 versions containing malicious form-stealing code; for example,
icon-package (according to NPM download stats) has over 17,000 downloads. Other typo-squatting examples include
umbrellaks instead of
umbrellajs and so on.
As for what is taken, researchers found functionality capable of gathering data from pretty much every form element on a page.
The attack looks distressingly coordinated: ReversingLabs noted the malicious package was published from December 2021 and the unnamed gang behind it appears to have since moved on to other NPM packages.
ReversingLabs has already reported its findings to NPM and The Register asked the package slinger and its parent, GitHub, what could be done about the attack. Both have yet to respond.
As with all too many attacks, it appears to depend on users not being totally clear on what they are downloading.
In its blog post on the matter, ReversingLabs noted that: “The decentralized and modular nature of application development means that applications and services are only as strong as their least secure component.
“The success of this attack – with more than two dozen malicious modules available for download on a popular package repository, and one of them with 17,000 downloads in a matter of weeks – underscores the freewheeling nature of application development, and the low barriers to malicious or even vulnerable code entering sensitive applications and IT environments.” ®