• Home
  • Resources
  • Blog
  • Cybercriminals targeted users of packages with a total of 1.5 billion weekly downloads on npm

Cybercriminals targeted users of packages with a total of 1.5 billion weekly downloads on npm

Single Author Uploaded 168 Packages to npm As Part of a Massive Dependency Confusion Attack
Single Author Uploaded 168 Packages to npm As Part of a Massive Dependency Confusion Attack

Another week, another supply chain incident. It’s been only nine days since the Mend research team detected the dYdX incident, and today we have detected another supply chain malicious campaign.

On October 02, 2022 at 12:12 UTC,  a new npm account was registered, and a package called nuiversalify was immediately uploaded. The same threat actor then proceeded to publish more typo/spellcheck squattings of popular packages until 14:03:29 UTC, with small but irregular time gaps between uploads. The irregular publishing cadence may suggest that for many name-cases, the npm typosquatting mechanism worked as expected.

In a typosquatting attack, an attacker publishes a malicious package with a similar name to a popular package, in the hope that a developer will misspell a package name and unintentionally fetch the malicious version.

In total, the threat actor published 155 packages to npm targeting users of the following packages:

Legit package nameWeekly downloads

Here are the names of the packages that were uploaded:

tsilb, nuiversalify3, micrmoatch, lgob-parent, glob-praent, http-rerors, postcss-valeu-parser, jsecs, y81n, ussports-color, stirng-width, string-wdith, webidl-conversinos, asni-regex, 1y8n, sypport-color, ahs-flag, igonre, string-iwdth, webidl-conversiosn, esrtaverse, hsa-flag, shebnag-command, webidl-covnersions, univesralify, webidl-conevrsions, strign-width, y1n8, suopport-colors, shebang-comamnd, microamtch, anymathc, uinversalify, naymatch, anis-regex, postcss-value-pasrer, ansi-reegx, webidl-convesrions, aynmatch, string-widht, wbeidl-conversions, glob-parnet, sheabng-command, ansi-rgeex, estraveres, stlib, shebang-commadn, soupports-colors, webidl-conversion, webdl-conversions, estravrese, http-erorrs, tsring-width, ignoer, has-falg, supports-colro, shebang-cmomand, deubg, shebagn-command, anmyatch, has-lfag, strnig-width, glob-aprent, opstcss-value-parser, shebang-ocmmand, supprots-color, hsebang-command, srting-width, aypports-color, estravesre, dupport-colors, nuiversalify, ansi-regxe, tlsib, spuports-color, glob-paernt, ginore, webdli-conversions, postcss-value-parsre, sehbang-command, has-flga, http-errosr, glbo-parent, golb-parent, postcss-value-paresr, string-witdh, ewbidl-conversions, universlaify, estraevrse, tslbi, suypport-colors, micormatch, thtp-errors, univeraslify, supoprts-color, ebidl-conversions, supports-cloor, anyamtch, syupport-colors, ignroe, webidl-conversoins, htpt-errors, postcss-vlaue-parser, supporst-color, postcss-value-praser, nuiversalify1, edbug, universailfy, potscss-value-parser, posctss-value-parser, postcss-avlue-parser, webid-conversions, univresalify, anymacth, ansi-ergex, uspport-colors, glob-paretn, webidl-ocnversions, weibdl-conversions, nasi-regex, uspports-color, micromacth, micromtach, universalfiy, anymtach, universaliyf, shebang-commnad, postscs-value-parser, postcss-vaule-parser, wbedil-conversions, imcromatch, http-errros, dypports-color, etsraverse, webidl-cnoversions, nuiversalify2, suppotrs-color, psotcss-value-parser, micromathc, postcss-value-aprser, jessc, mciromatch, supports-oclor, setraverse, jssec, sjesc, estarverse, ingore, estrvaerse, unievrsalify, mircomatch, postcss-val-parser, supports-coolr, webidl-convresions, webidl-converisons

Nature of the attack

In contrast to the dYdX campaign, this attack did not target a specific organization. Rather, the threat actor opted to cast the widest net possible: with more than 1.5 billion (yes billion) downloads, the probability that someone would accidentally run npm install and make a typo is pretty high. Even one mistake out of millions of downloads could result in the infection of tens, if not hundreds, of machines.

All of the uploaded packages had the same content. They contained:

  • Readme is taken from the legit universalify package
  • package.json with a preinstall hook
  • MIT license of universalify
  • The malicious exploder index.js file

the malicious code preinstall hook can be seen in line 25

Upon installation of this package, the malicious index.js would be executed. Its content was fairly simple. Aside from the boilerplate code, it tried to download a harmless-looking “README.txt.lnk” attachment from the discord CDN:

Why was discordapp selected as the source of the file? While we cannot know for sure, it may be that the attacker wanted to use a “legitimate” source.

So, what does this enigmatic README.txt.lnk contain? 

If you upload it to virustotal, there are several signatures from AV systems that trigger:

Inside of this file was another executable code:

That would download and run a VBS script:

And yet again, this VBS script when executed would perform few actions but the primary one was to download and install a backdoor password stealer/trojan:

Reducing Enterprise Application Security Risks:

More Work Needs to Be Done

Actions taken by Mend.io

The Mend Supply Chain Defender notified us about this malicious actor 17 minutes after the first package was published. 

Once we confirmed that the attack was not a false positive, we reached out to npm and other parties involved and asked for the packages and the malicious content to be removed. All of the malicious packages were removed around 3pm UTC.

How to protect against similar attacks?

Sometimes, doing a manual review of installed packages is not enough – the preinstall hook used by the attacker is deceiving. Automated supply chain security solutions such as Mend Supply Chain Defender inform you when you import a malicious package that contains malicious code.

Meet The Author

Maciej Mensfeld

Maciej Mensfeld is the creator of the Mend Supply Chain Defender platform and a Senior Product Manager. He writes about Supply Chain Security and Open Source Software in general.

Adam Murray

Adam Murray is a content writer at Mend. He began his career in corporate communications and PR, in London and New York, before moving to Tel Aviv. He’s spent the last ten years working with tech companies like Amdocs, Gilat Satellite Systems, Allot Communications, and Sisense. He holds a Ph.D. in English Literature. When he’s not spending time with his wife and son, he’s preoccupied with his beloved football team, Tottenham Hotspur.

Subscribe to Our Blog