Malicious npm packages target Azure developers to steal personal data | ZDNet

A “large scale” attack is targeting Microsoft Azure developers through malicious npm packages. 

On Wednesday, cybersecurity researchers from JFrog said that hundreds of malicious packages have been identified, created to steal valuable personally identifiable information (PII) from developers. 

According to researchers Andrey Polkovnychenko and Shachar Menashe, the repositories were first detected on March 21 and steadily grew from roughly 50 malicious npm packages to over 200 in a matter of days.

The miscreants responsible for the npm repositories have developed an automated script that targets the @azure npm scope, alongside @azure-rest, @azure-tests, @azure-tools, and @cadl-lang. 

The script is responsible for creating accounts and uploading the npm sets, which include container services, a health bot, testers, and storage packages. 

JFrog says that typosquatting has been used to try and dupe developers into downloading the files. At the time of writing, these packages contained information stealer malware. 

Typosquatting is a form of phishing in which small changes are made to an email address, file, or website address to mimic a legitimate service or content. For example, an attacker could target users of “your-company.com” by registering a domain name with “your-c0mpany.com” — and by replacing a single letter, they hope that victims do not notice that the resource is fraudulent. 

In this case, malicious packages are created with the same name as an existing @azure scope package, but they have dropped the scope. 

The legitimate package

screenshot-2022-03-24-at-08-42-11.png

The malicious counterpart, missing the scope


JFrog

“The attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package,” the researchers say. “For example, running npm install core-tracing by mistake, instead of the correct command — npm install @azure/core-tracing.”

Furthermore, all of the npm packages were given high version numbers, which could indicate dependency confusion attack attempts. 

“Since this set of legitimate packages is downloaded tens of millions of times each week, there is a high chance that some developers will be successfully fooled by the typosquatting attack,” JFrog added.

JFrog has provided a full list of the malicious npm packages detected so far. Npm maintainers have removed the malicious files, but Azure developers should be on the alert for further activity from this threat actor. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.