Typo-Squatting NPM Software Supply Chain Attack

[upnorth]

Content source

https://www.theregister.com/2022/07/06/npm_supply_chain_attack/

Researchers at ReversingLabs have uncovered evidence of a widespread software supply chain attack through malicious JavaScript packages picked up via NPM.

NPM was acquired by Microsoft-owned GitHub in 2020 and has suffered from the odd issue or two over the years (from authorization problems in 2021 to credential problems this year). The latest problem stems from typo-squatting, where an attacker offers up malicious packages with names similar to (or easy misspellings of) real packages. Examples given included a variety riffing on the name ionicons, which, in reality (when spelled correctly) is a handy open source set of 1,000 icons for use with web, desktop, iOS, and Android apps. In the case of ionicons, the miscreants published 18 versions containing malicious form-stealing code; for example, icon-package (according to NPM download stats) has over 17,000 downloads. Other typo-squatting examples include umbrellaks instead of umbrellajs and so on. As for what is taken, researchers found functionality capable of gathering data from pretty much every form element on a page.

The attack looks distressingly coordinated: ReversingLabs noted the malicious package was published from December 2021 and the unnamed gang behind it appears to have since moved on to other NPM packages.

Combined with typo-squatting, bad actors have attempted to cover up the malicious code lurking within packages using an obfuscator. The JavaScript Obfuscator tool is designed to protect code from reverse engineering and tampering. Miscreants have taken to using it to disguise JavaScript with more nefarious purposes. As such, engineers have taken its use as an indicator that a package might merit a closer look. ReversingLabs has already reported its findings to NPM and The Register asked the package slinger and its parent, GitHub, what could be done about the attack. Both have yet to respond.

As with all too many attacks, it appears to depend on users not being totally clear on what they are downloading.

Light shone on typo-squatting NPM supply chain attack

Beawre teh mizpelled pakcage naem

www.theregister.com

 

[CyberTech]

GitHub has announced the general availability of three significant improvements to npm (Node Package Manager), aiming to make using the software more secure and manageable.

In summary, the new features include a more streamlined login and publishing experience, the ability to link Twitter and GitHub accounts to npm, and a new package signature verification system.

At the same time, GitHub announced that the two-factor authentication program introduced in May 2022 is ready to exit beta and become available to all npm users.

The npm platform is a subsidiary of GitHub and is a package manager and repository (registry) for JavaScript coders, used by developers' projects to download five billion packages daily.

It recently suffered large-scale security incidents that impacted hundreds of apps and websites, forcing GitHub to develop and urgently implement a security-boosting plan.

For more information

GitHub introduces 2FA and quality of life improvements for npm

GitHub has announced the general availability of three significant improvements to npm (Node Package Manager), aiming to make using the software more secure and manageable.

www.bleepingcomputer.com