Hackers booby trap NPM with cross-language imposter packages

Hackers are abusing the Node Package Manager (NPM) registry — a database of JavaScript packages — to target multi-language developers with typo-squatted packages containing stealers and remote code execution (RCE) codes.

According to a research by cybersecurity firm Socket, a coordinated malware campaign, with evidence of origin in China, has published dozens of malicious packages that mimic well-known Python, Java, C++, .NET, and Node.js libraries.

“This tactic may specifically target developers familiar with multiple programming languages, tricking them into installing malicious packages due to familiar-sounding package names, which appear unexpectedly in the npm registry instead of their original ecosystem,” said Socket researchers in a blog post.

The booby-trapped packages used in the campaign pack obfuscated code, designed to slip past security defences, run malicious scripts to siphon off sensitive data, and establish persistence on affected systems.

A coordinated attack is at play

All the packages observed by the researchers exhibited similar obfuscation techniques with the end goal of enabling data exfiltration or RCE. Attackers planted the malicious packages in NPM, hoping either multi-language developers accidentally pick them up for their familiar names, or CI/CD systems automatically install them.

Researchers were also able to link the campaign to China, adding another layer to the growing cyberspace tension between the US and China. “Although these packages list different maintainers, analysis revealed that they share infrastructure, use identical obfuscated payloads, and point to the same IP address 8[.]152[.]163[.]60 confirming a single, coordinated threat actor targeting developers across ecosystems,” the researchers at Socket said.

The IP address was traced back to an address located in the Beijing region of China associated with Alibaba Cloud (Singapore), researchers added.

Considering every malware sample retrieved consisted of a persistence module, a nation-state involvement cannot be entirely ruled out. The researchers said, “packages contain code that attempts persistence or lateral movement via installation of remote shell scripts.”

Auditing and blocking suspicious dependencies might help

Developers are recommended to audit dependencies within Node.js project snapshots, such as package.json and package-lock.json, that can fish out malicious installations within the dependency tree. Blocking suspicious packages with a proxy registry or allowlist policy might also help.

Training developers to recognize typosquatting and package impersonation is becoming critical amid growing supply chain threats using similar techniques. Attackers recently got creative as they weaponized AI hallucinations to distribute malicious packages with fake names that AI models recommended in their outputs.

NPM remains a popular hacker hideout as they have been using it to carry out supply chain breaches. Socket shared a list of malicious packages used in the campaign, along with other indicators and MITRE ATT&CK techniques.