These npm packages are designed to take valuable personally identifiable information (PII). Researchers with JFrog, Shachar Menashe and Andrey Polkovnychenko say they found the repositories on March 21 with 50 packages and that number soon grew to 200. The company explains how the attack is targeting Microsoft Azure: “After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure npm scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope. Currently, the observed malicious payload of these packages were PII (Personally identifiable information) stealers.”
Attack Method
By creating automated scripts, the threat actor is targeting @azure npm scope, @azure-tests, @azure-rest, @cadl-lang, and @azure-tools. With the script, attackers can create accounts and upload the npm packages. The threat involves using typosquatting to trick developers into downloading the sets. The malware within them has stealer software for taking data. “The attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package,” the researchers add. “For example, running npm install core-tracing by mistake, instead of the correct command — npm install @azure/core-tracing.” “Since this set of legitimate packages is downloaded tens of millions of times each week, there is a high chance that the typosquatting attack will successfully fool some developers,” JFrog says. Tip of the day: Did you know that Windows now has a package manager similar to Linux called “Winget”? In our tutorial, we show you how to install and use this new tool that allows the quick installation of apps via PowerShell or a GUI.