The researchers described it as a “co-ordinated supply chain attack.”
“While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands of downstream mobile and desktop applications as well as websites,” the report says. “In one case, a malicious package had been downloaded more than 17,000 times.”
The attackers are relying on typo-squatting, naming their packages with names that are similar to — or common misspellings of — legitimate packages. Among those impersonated are high-traffic modules like umbrellajs (the fake module is called umbrellaks) and packages published by ionic.io.
Similarities between the domains used to exfiltrate data suggest that the various modules in this campaign are in the control of a single actor, the report adds.
NPM is one of a number of open-source libraries of software packages used by developers in their applications. Others are PyPI, Ruby and NuGet.
ReversingLabs did that with the suspicious modules it found and discovered that all of them collect form data using jQuery Ajax functions and send it to various domains controlled by malicious authors.
Not only are the names of malicious packages similar to legitimate packages, the websites the packages link to are in some cases well-crafted copies of real sites. This also deceives those who download the packages. For example, this is the fake Ionic page that links to one of the malicious packages discovered by ReversingLabs …
… and this is the real website.
“This attack marks a significant escalation in software supply chain attacks,” says the report. “Malicious code bundled within the NPM modules is running within an unknown number of mobile and desktop applications and web pages, harvesting untold amounts of user data.
“The NPM modules our team identified have been collectively downloaded more than 27,000 times. As very few development organizations have the ability to detect malicious code within open source libraries and modules, the attacks persisted for months before coming to our attention. While a few of the named packages have been removed from NPM, most are still available for download at the time of this report.”