Malicious npm packages target Azure developers to steal personal data

Malicious npm packages target Azure developers to steal personal data

Trending 8 months ago 130

A "large scale" onslaught is targeting Microsoft Azure developers done malicious npm packages. 

On Wednesday, cybersecurity researchers from JFrog said that hundreds of malicious packages person been identified, created to bargain invaluable personally identifiable accusation (PII) from developers. 

According to researchers Andrey Polkovnychenko and Shachar Menashe, the repositories were archetypal detected connected March 21 and steadily grew from astir 50 malicious npm packages to implicit 200 successful a substance of days.

The miscreants liable for the npm repositories person developed an automated publication that targets the @azure npm scope, alongside @azure-rest, @azure-tests, @azure-tools, and @cadl-lang. 

The publication is liable for creating accounts and uploading the npm sets, which see instrumentality services, a wellness bot, testers, and retention packages. 

JFrog says that typosquatting has been utilized to effort and dupe developers into downloading the files. At the clip of writing, these packages contained accusation stealer malware. 

Typosquatting is simply a signifier of phishing successful which tiny changes are made to an email address, file, oregon website code to mimic a morganatic work oregon content. For example, an attacker could people users of "" by registering a domain sanction with "" -- and by replacing a azygous letter, they anticipation that victims bash not announcement that the assets is fraudulent. 

In this case, malicious packages are created with the aforesaid sanction arsenic an existing @azure scope package, but they person dropped the scope. 


The morganatic package


The malicious counterpart, missing the scope


"The attacker is relying connected the information that immoderate developers whitethorn erroneously omit the @azure prefix erstwhile installing a package," the researchers say. "For example, moving npm instal core-tracing by mistake, alternatively of the close bid -- npm instal @azure/core-tracing."

Furthermore, each of the npm packages were fixed precocious mentation numbers, which could bespeak dependency disorder onslaught attempts. 

"Since this acceptable of morganatic packages is downloaded tens of millions of times each week, determination is simply a precocious accidental that immoderate developers volition beryllium successfully fooled by the typosquatting attack," JFrog added.

JFrog has provided a afloat list of the malicious npm packages detected truthful far. Npm maintainers person removed the malicious files, but Azure developers should beryllium connected the alert for further enactment from this menace actor. 

Previous and related sum

Have a tip? Get successful interaction securely via WhatsApp | Signal astatine +447713 025 499, oregon implicit astatine Keybase: charlie0

style="display:block" data-ad-client="ca-pub-6050020371266145" data-ad-slot="7414032534" data-ad-format="auto" data-full-width-responsive="true">