- Cyber Syrup
- Posts
- Malicious Typosquats Target npm Packages and Visual Studio Code Extensions
Malicious Typosquats Target npm Packages and Visual Studio Code Extensions
Threat actors have been actively uploading malicious typosquats of legitimate npm packages, such as typescript-eslint and @types/node, to the npm registry
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Writer RAG tool: build production-ready RAG apps in minutes
Writer RAG Tool: build production-ready RAG apps in minutes with simple API calls.
Knowledge Graph integration for intelligent data retrieval and AI-powered interactions.
Streamlined full-stack platform eliminates complex setups for scalable, accurate AI workflows.
Malicious Typosquats Target npm Packages and Visual Studio Code Extensions
Threat actors have been actively uploading malicious typosquats of legitimate npm packages, such as typescript-eslint
and @types/node
, to the npm registry. These counterfeit packages, named @typescript_eslinter/eslint
and types-node
, are designed to download trojans and retrieve second-stage payloads, posing a significant threat to developers and organizations alike.
The Attack
Efforts to Mimic Legitimate Packages
According to an analysis by Sonatype's Ax Sharma, the effort invested by malicious actors to mimic legitimate packages is alarming. The npm packages in question have racked up thousands of downloads, suggesting that developers may have unintentionally fallen victim to these typosquats. In some cases, download counts may have been artificially inflated by threat actors to increase the perceived legitimacy of the malicious packages.
Malicious Packages and Their Behavior
@typescript_eslinter/eslint
Details:
Linked to a fake GitHub repository created on November 29, 2024, by an account named "typescript-eslinter."
Contains a file named
prettier.bat
, which is actually a Windows executable (.exe) flagged as a trojan and dropper on VirusTotal.
Behavior:
Installs itself into the Windows Startup folder to ensure it runs on every reboot.
types-node
Details:
Fetches malicious scripts from a Pastebin URL, which then execute a trojan masquerading as
npm.exe
.
Both packages were designed to exploit the trust developers place in widely-used open-source libraries.
Broader Campaign Targeting Visual Studio Code
Targeting VSCode Extensions
In addition to npm packages, threat actors have targeted the Visual Studio Code (VSCode) Marketplace. ReversingLabs identified several malicious extensions uploaded to the marketplace in October 2024. These extensions impersonated tools for blockchain development and video conferencing applications like Zoom.
Malicious VSCode Extensions
The following rogue VSCode extensions, now removed, were part of this campaign:
EVM.Blockchain-Toolkit
VoiceMod.VoiceMod
ZoomVideoCommunications.Zoom
Ethereum.SoliditySupport
SolidityFoundation.Solidity-Ethereum
GavinWood.SolidityLang
And others.
Behavior
These extensions included obfuscated JavaScript code designed to download second-stage payloads from remote servers. The final payload remains unknown, but the evolving sophistication of these extensions underscores a deliberate effort to compromise developers’ environments.
Implications for Developers and Organizations
Threat to Supply Chain Security
The attack highlights vulnerabilities in open-source ecosystems and integrated development environments (IDEs). The inclusion of malicious code as a dependency can compromise not only individual developers but also the broader development and operational pipelines within enterprises.
Potential for Enterprise Compromise
Compromising an IDE or a widely-used package repository could serve as a foothold for attackers to infiltrate corporate systems, steal sensitive data, or disrupt critical business operations.
Recommendations for Protection
To mitigate these risks, developers and organizations should take the following steps:
Verify Package Authenticity
Double-check package names for typosquats and validate repositories before downloading.
Use tools like Sonatype’s Nexus and GitHub’s Dependabot to monitor dependencies for vulnerabilities.
Enable Code Scanning
Employ automated tools to analyze packages and extensions for malicious or obfuscated code.
Implement Multi-Factor Authentication (MFA)
Secure developer accounts on platforms like npm, GitHub, and IDE marketplaces with MFA to prevent unauthorized access.
Restrict IDE Extensions
Limit the installation of extensions to verified publishers. Regularly audit installed extensions for unusual behavior.
Adopt Secure Development Practices
Use sandboxed environments to test third-party tools and dependencies before integrating them into projects.
Conclusion
The recent typosquatting and VSCode extension attacks highlight the growing sophistication of threat actors targeting the software development lifecycle. By masquerading as trusted tools, these campaigns aim to introduce malicious code into developer environments, potentially affecting millions of users downstream.
Developers and organizations must prioritize robust security measures and remain vigilant to safeguard their projects and systems from supply chain threats. As the open-source ecosystem continues to grow, so does the need for proactive defenses to combat malicious activities.