code libraries malware Security typosquatting

Hundreds of code libraries posted to NPM try to install malware on dev machines

The IP address returned by a package Phylum analyzed was: hxxp://193.233.201[.]21:3001.

While the method was likely intended to conceal the source of second-stage infections, it ironically had the effect of leaving a trail of previous addresses the attackers had used in the past. The researchers explained:

An interesting thing about storing this data on the Ethereum blockchain is that Ethereum stores an immutable history of all values it has ever seen. Thus, we can see every IP address this threat actor has ever used.

On 2024-09-23 00:55:23Z it was hxxp://localhost:3001
From 2024-09-24 06:18:11Z it was hxxp://45.125.67[.]172:1228
From 2024-10-21 05:01:35Z it was hxxp://45.125.67[.]172:1337
From 2024-10-22 14:54:23Z it was hxxp://193.233[.]201.21:3001
From 2024-10-26 17:44:23Z it is hxxp://194.53.54[.]188:3001

When installed, the malicious packages come in the form of a packed Vercel package. The payload runs in memory, sets itself to load with each reboot, and connects to the IP address from the ethereum contract. It then “performs a handful of requests to fetch additional Javascript files and then posts system information back to the same requesting server,” the Phylum researchers wrote. “This information includes information about the GPU, CPU, the amount of memory on the machine, username, and OS version.”

Attacks like this one rely on typosquatting, a term for the use of names that closely mimic those of legitimate packages but contain small differences, such as those that might occur if the package was inadvertently misspelled. Typosquatting has long been a tactic for luring people to malicious websites. Over the past five years, typosquatting has been embraced to trick developers into downloading malicious code libraries.

Developers should always double-check names before running downloaded packages. The Phylum blog post provides names, IP addresses, and cryptographic hashes associated with the malicious packages used in this campaign.