In the NPM repository malicious activity in four packages, including a preinstall script that sent a comment to GitHub with information about the user's IP address, location, login, CPU model, and user's home directory before installing the package. Malicious code was found in packages (255 downloads), (78 downloads), (48 downloads) and (37 downloads).
The problematic packages were placed on NPM from August 17 to 24 for distribution using , i.e. with the assignment of names similar to the names of other popular libraries, with the expectation that the user will make a typo when typing the name or will not notice the differences when choosing a module from the list. Judging by the number of downloads, about 400 users fell for this trick, most of which confused electorn with electron. Currently electorn and loadyaml packages by the NPM administration, and the lodashs and loadyml packages have been removed by the author.
The motives of the attackers are unknown, but it is assumed that the information leak via GitHub (the comment was sent via Issue and deleted within XNUMX hours) could have been performed during the experiment to evaluate the effectiveness of the method, or an attack was planned in several stages, the first of which collected data on the victims , and on the second, which was not implemented due to blocking, the attackers intended to release an update with the inclusion of more dangerous malicious code or a backdoor in the new release.
Source: opennet.ru