Threat actors have been observed uploading malicious typosquats of legitimate npm packages such as typescript-eslint and @types/node that have racked up thousands of downloads on the package registry.
The counterfeit versions, named @typescript_eslinter/eslint and types-node, are engineered to download a trojan and retrieve second-stage payloads, respectively.
“While typosquatting attacks are hardly new, the effort spent by nefarious actors on these two libraries to pass them off as legitimate is noteworthy,” Sonatype’s Ax Sharma said in an analysis published Wednesday.
“Furthermore, the high download counts for packages like “types-node” are signs that point to both some developers possibly falling for these typosquats, and threat actors artificially inflating these counts to boost the trustworthiness of their malicious components.”
The npm listing for @typescript_eslinter/eslint, Sonatype’s analysis revealed, points to a phony GitHub repository that was set up by an account named “typescript-eslinter,” which was created on November 29, 2024. Present within this package is a file named “prettier.bat.”
Another package linked to the same npm/GitHub account is named @typescript_eslinter/prettier. It impersonates a well-known code formatter tool of the same name, but, in reality, is configured to install the fake @typescript_eslinter/eslint library.
The malicious library contains code to drop “prettier.bat” into a temporary directory and add it to the Windows Startup folder so that it’s automatically run every time the machine is rebooted.
“Far from being a ‘batch’ file though, the “prettier.bat” file is actually a Windows executable (.exe) that has previously been flagged as a trojan and dropper on VirusTotal,” Sharma said.
On the other hand, the second package, types-node, incorporates instructions to reach out to a Pastebin URL and fetch scripts that are responsible for running a malicious executable that’s deceptively named “npm.exe.”
“The case highlights a pressing need for improved supply chain security measures and greater vigilance in monitoring third-party software registry developers,” Sharma said.
The development comes as ReversingLabs identified several malicious extensions that were initially detected in the Visual Studio Code (VSCode) Marketplace in October 2024, a month after which one additional package emerged in the npm registry. The package attracted a total of 399 downloads.
The list of rogue VSCode extensions, now removed from the store, is below –
- EVM.Blockchain-Toolkit
- VoiceMod.VoiceMod
- ZoomVideoCommunications.Zoom
- ZoomINC.Zoom-Workplace
- Ethereum.SoliditySupport
- ZoomWorkspace.Zoom
- ethereumorg.Solidity-Language-for-Ethereum
- VitalikButerin.Solidity-Ethereum
- SolidityFoundation.Solidity-Ethereum
- EthereumFoundation.Solidity-Language-for-Ethereum
- SOLIDITY.Solidity-Language
- GavinWood.SolidityLang
- EthereumFoundation.Solidity-for-Ethereum-Language
“The campaign started with targeting of the crypto community, but by the end of October, extensions published were mostly impersonating the Zoom application,” ReversingLabs researcher Lucija Valentić said. “And each malicious extension published was more sophisticated than the last.”
All the extensions as well as the npm package have been found to include obfuscated JavaScript code, acting as a downloader for a second-stage payload from a remote server. The exact nature of the payload is currently not known.
The findings once again emphasize the need for exercising caution when it comes to downloading tools and libraries from open-source systems and avoid introducing malicious code as a dependency in a larger project.
“The possibility of installing plugins and extending functionality of IDEs makes them very attractive targets for malicious actors,” Valentić said. “VSCode extensions are often overlooked as a security risk when installing in an IDE, but the compromise of an IDE can be a landing point for further compromise of the development cycle in the enterprise.”
