A phishing attack on JavaScript library maintainers was recorded, during which a message was sent on behalf of the NPM service, notifying about the need to confirm your email. The attack allowed the attackers to obtain NPM tokens of the maintainer of one of the large JavaScript projects and release updates with malicious code for five NPM packages, which together amount to about 100 million downloads per week.
The message sent by the maintainer was styled to resemble typical NPM notifications sent from "support@npmjs.org", but the link to follow was "npnjs.com" instead of "npmjs.com" (the third "n" instead of "m"). The attackers took advantage of a psychological effect where the brain, anticipating the expected result, does not notice minor distortions, such as replacing letters with similar ones or changing the order of letters in a word. When clicking on the link, a full copy of the npmjs.com website was opened (probably a proxy was set up to intercept the access token).
During the attack, new versions of packages were generated:
- eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7.
- eslint-plugin-prettier: 4.2.2, 4.2.3.
- synckit: 0.11.9.
- @pkgr/core: 0.2.8.
- napi-postinstall: 0.3.1.
Malicious code was added to the generated releases to attack users using the platform. WindowsThe changes made loaded the node-gyp.dll library, which contains functionality for remotely executing commands on the system.
The maintainer noticed that he had been phishing about an hour after the first complaint about suspicious releases had been received. He immediately revoked the access token, changed the passwords, and marked the problematic versions as obsolete to prevent automated build systems from downloading them, and submitted a request to NPM support to remove the problematic versions from the repository.
It is not specified how many users managed to download malicious versions (for example, a malicious version of the eslint-plugin-prettier package remained in the repository for about two days). Over the past week, the eslint-config-prettier package was downloaded 30 million times and was used as a dependency for 11762 thousand packages, the eslint-plugin-prettier package was downloaded 21 million times (8468 dependent packages), synckit was downloaded 18 million times, @pkgr/core was downloaded 16 million times, and napi-postinstall was downloaded 10 million times.
Source: opennet.ru
