Summary:
The Socket threat research team has uncovered six malicious npm packages designed by a threat actor to mimic popular libraries through typosquatting. These packages pose significant risks by injecting backdoors into Linux systems, enabling unauthorized SSH access. The incident highlights vulnerabilities in software supply chains and underscores the need for enhanced security practices among developers and organizations.
#Typosquatting #SupplyChainSecurity #npmPackages
The Socket threat research team has uncovered six malicious npm packages designed by a threat actor to mimic popular libraries through typosquatting. These packages pose significant risks by injecting backdoors into Linux systems, enabling unauthorized SSH access. The incident highlights vulnerabilities in software supply chains and underscores the need for enhanced security practices among developers and organizations.
#Typosquatting #SupplyChainSecurity #npmPackages
Keypoints:
Six malicious npm packages were published by the threat actor “sanchezjosephine180”.
The packages mimic popular libraries using typosquatting techniques.
Malicious packages include babelcl, chokader, streamserch, sss2h, npmrunnall, and node-pyt.
These packages have been downloaded over 700 times and are still live on the npm registry.
The threat actor exploits common typing errors to distribute malicious code through postinstall scripts.
Unauthorized SSH access allows attackers to infiltrate systems undetected.
SSH access credentials are traded on the dark web, facilitating various cyberattacks.
A seventh package, parimiko, resembles a legitimate Python library but currently lacks malicious code.
The incident emphasizes the need for stronger security practices in software supply chains.
Socket offers tools to detect and prevent these threats in real time.
MITRE Techniques
Supply Chain Compromise (T1195.002): Compromise Software Supply Chain.
Masquerading (T1036.005): Match Legitimate Name or Location.
Command and Scripting Interpreter (T1059.007): JavaScript.
Remote Services (T1021.004): SSH.
Exploit Public-Facing Application (T1190): Exploit Public-Facing Application.
Data from Local System (T1005): Data from Local System.
Exfiltration Over Web Service (T1567.004): Exfiltration Over Webhook.
IoC:
[Malicious Package] babelcl
[Malicious Package] chokader
[Malicious Package] streamserch
[Malicious Package] sss2h
[Malicious Package] npmrunnall
[Malicious Package] node-pyt
[Malicious Package] parimiko
[Hardcoded SSH Public Key] AAAAB3NzaC1yc2EAAAADAQABAAABAQCnTfldNjDJjIdEBrURW+h07EesyNTJiaHl0LOGroC8WSlDPQNa1koRHmcVUdmEbdmiomsS/PTtLiJsANMIS9PDK5z1F6BQL0ZqcrWowD7IwQ3+aoxdVpUK2z+S5/guppkzbfCoWQ65XOAjdt1AQf4MTEaW6uewLM35aHinM860c3TwkDvH1WTG2HxpPV1zgDmVKPyG6o+BRAhBsoJOeGXvDZt7MP42P8lAr2eTaDLNQV2oK5jmIHCgk3aW5G5zDv1eCucb2qg6YKgeIedb89VBQrWhl9PNyrwdCcMrH/PEcRsR8xt+RHeBiHtmNvhJ4pYOrdQi4NzHTtiLeqcr8IXB
[URL] https://webhook-test[.]com/8caf20007640ce1a4d2843af7b479eb1
Full Research: https://socket.dev/blog/malicious-npm-packages-inject-ssh-backdoors-via-typosquatted-libraries