More than 200 malicious npm packages were recently removed from the npm registry, security experts have confirmed.
The goal of the packages was to steal personally identifiable information (PII) from the endpoints of Microsoft Azure developers.
As per a report from The Register, security firm JFrog’s automated analysis of the repository started raising alarms about suspicious uploads earlier this week. Manual inspection has since uncovered a group of more than 200 packages, all of which were essentially malware.
“After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure npm scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope,” security researchers Andrey Polkovnychenko and Shachar Menashe said in their analysis of the incident.
In an attempt to trick the developers, the attackers gave the malicious packages the same name as their non-malicious counterparts, with the @azure scope identifier missing.
“The attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package,” the researchers explained. “For example, running npm install core-tracing by mistake, instead of the correct command – npm install @azure/core-tracing.”
But that’s not the only way the attackers tried to fool people into downloading these malicious packages. They also added high version numbers hoping that internal npm private proxies search for newer versions of packages first.
Finally, the attackers uploaded the packages via an automated script that created a unique username for each upload, probably in hopes of avoiding common detection methods.
In total, 218 malicious packages were uploaded and were in place for two days. During that time, they were downloaded an average of 50 times each, totalling roughly 10,000 potential victims.