A new massive supply chain attack targeting Azure developers for stealing personal information has deployed more than 218 malicious NPM packages.
“After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure NPM scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope,” JFrog researchers Andrey Polkovnychenko and Shachar Menashe said in a new report.
All the malicious packages were revealed to the NPM maintainers almost 2 days after they were published. The packages were quickly taken out, but the quick removal couldn’t stop each package from being downloaded 50 times.
The attack is called typosquatting, and the attack entails bad actors pushing rogue packages wrapped with names resembling legitimate libraries to a public software registry like NPM or PyPI. The false names are used to trick users into installing them.
In this case, DevSecOps spotted the adversary creating dozens of malicious counterparts having similar names matching with their existing @azure scope packages but sans the scope name.
“The attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package,” the researchers said. “For example, running npm install core-tracing by mistake, instead of the correct command – npm install @azure/core-tracing.”
The attack not only used a unique username to upload every single package to the repository, but the malware-infected libraries also featured high version numbers (e.g., 99.10.9), which suggest an attempt to execute a dependency confusion attack.
If a developer unknowingly installs one of these packages, the packages can execute a reconnaissance payload that can list directories and collect information about the user’s current working directory and IP addresses linked to network interfaces and DNS servers.
“Due to the meteoric rise of supply chain attacks, especially through the NPM and PyPI package repositories, it seems that more scrutiny and mitigations should be added,” the researchers said.
“For example, adding a CAPTCHA mechanism on npm user creation would not allow attackers to easily create an arbitrary amount of users from which malicious packages could be uploaded, making attack identification easier.”