News

Sonatype Finds 'Typosquatting' Packages in npm

• By John K. Waters
• October 1, 2020

Researchers at Sonatype, a leader in the DevSecOps and repository management space, discovered and confirmed the presence of new vulnerable npm packages this week. The packages exfiltrate/broadcast the target's IP, username, and device fingerprint info onto a public GitHub page where anyone can gain access.

The packages (electorn, loadyaml, lodashs, and loadyml) represent next-generation software supply chain attacks that rely on typosquatting, said Sonatype engineer and security researcher Ax Sharma, in a blog post.

"Typosquatting packages prey on a developer or unsuspecting user to make a minor typographical error," Sharma explained, "which will trick them into installing the malicious package within their environment, instead of the one they had originally intended to download.  For example, the developer requests the 'electron' package but unintentionally spells it 'electorn.'"

Also known as URL hijacking, typosquatting is a type of cybersquatting (sitting on sites under someone else's brand or copyright) that targets Internet users who incorrectly type a website address into their Web browser.

Npm is a popular online directory and command line tool for installing and managing Node packages.

Sonatype's malicious code detection bots made the initial discovery, Sharma said.

"By applying machine learning and artificial intelligence to identify suspicious code commits, update signals, and developer patterns, the bots are continuously assessing changes across millions of open source software component releases," he said. "Following alerts from the Sonatype bots, our security research team verified the presence of malicious code in two npm packages and traced the intended exploit path."

Both packages were from the same author, "simplelive12," Sharma added. He dives deep into the two packages still available on npm downloads, electorn and loadyaml, in his post.

Sonatype unveiled its next-generation malicious code detection bots last year. The bots are built into the company's Nexus Intelligence products, to enable detection of malicious releases of open-source components, known as "counterfeit components," and blocking their use within modern software factories.

The packages are part of a growing pattern of next-gen software supply chain attacks. In its sixth annual report on open-source software development ("State of the Software Supply Chain Report"), Sonatype found that, in the 12 months prior to the report's publication, the number of next-gen cyberattacks aimed at actively infiltrating open-source increased by a stunning 430%.

Especially alarming: the bad actors are becoming increasingly proactive in attacking software supply chains (rather than waiting for vulnerabilities to be disclosed).

Sonatype used new AI-powered malicious code detection software to locate and confirm the existence of malicious code, automatically blocking customers from downloading the affected packages. While the packages have currently been downloaded around 400 times in five days, Sonatype says, the company was able to catch them out before further damage was done.