A new large-scale supply chain attack has been observed targeting Azure developers with no less than 218 malicious NPM packages with the goal of stealing personally identifiable information.
“After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure NPM scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope,” JFrog researchers Andrey Polkovnychenko and Shachar Menashe said in a new report.
The entire set of malicious packages was disclosed to the NPM maintainers roughly two days after they were published, leading to their quick removal, but not before each of the packages was downloaded around 50 times on average.
The attack refers to what’s called typosquatting, which takes place when bad actors push rogue packages with names mimicking legitimate libraries to a public software registry such as NPM or PyPI with the hope of tricking users into installing them.
In this specific case observed by the DevSecOps firm, the unknown adversary is said to have created dozens of malicious counterparts with the same name as their existing @azure scope packages but without the scope name (e.g., @azure/core-tracing vs. core-tracing).
“The attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package,” the researchers said. “For example, running npm install core-tracing by mistake, instead of the correct command – npm install @azure/core-tracing.”Read more:https://bit.ly/3wzUlHM