A “large scale” attack is targeting Microsoft Azure developers through malicious npm packages.
On Wednesday, cybersecurity researchers from JFrog said that hundreds of malicious packages have been identified, created to steal valuable personally identifiable information (PII) from developers.
According to researchers Andrey Polkovnychenko and Shachar Menashe, the repositories were first detected on March 21 and steadily grew from roughly 50 malicious npm packages to over 200 in a matter of days.
The miscreants responsible for the npm repositories have developed an automated script that targets the @azure npm scope, alongside @azure-rest, @azure-tests, @azure-tools, and @cadl-lang.
The script is responsible for creating accounts and uploading the npm sets, which include container services, a health bot, testers, and storage packages.
JFrog says that typosquatting has been used to try and dupe developers into downloading the files. At the time of writing, these packages contained information stealer malware.
Typosquatting is a form of phishing in which small changes are made to an email address, file, or website address to mimic a legitimate service or content. For example, an attacker could target users of “your-company.com” by registering a domain name with “your-c0mpany.com” — and by replacing a single letter, they hope that victims do not notice that the resource is fraudulent.
In this case, malicious packages are created with the same name as an existing @azure scope package, but they have dropped the scope.
“The attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package,” the researchers say. “For example, running npm install core-tracing by mistake, instead of the correct command — npm install @azure/core-tracing.”
Furthermore, all of the npm packages were given high version numbers, which could indicate dependency confusion attack attempts.
“Since this set of legitimate packages is downloaded tens of millions of times each week, there is a high chance that some developers will be successfully fooled by the typosquatting attack,” JFrog added.
JFrog has provided a full list of the malicious npm packages detected so far. Npm maintainers have removed the malicious files, but Azure developers should be on the alert for further activity from this threat actor.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0