Supply Chain Attack Deploys Hundreds of Malicious NPM Modules to Steal Data

A routine scan of the NPM open source code repository in April turned up several packages using a JavaScript obfuscator to hide their true function. 

After further investigation, analysts with ReversingLabs reported they have uncovered a campaign dating back at least six months that used more than two dozen malicious NPM modules to steal data from sites and applications. All together, the team found that 27,000 instances of the malicious NPM packages had been downloaded. 

“While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands, of downstream mobile and desktop applications as well as websites,” the ThreatLabs researchers explained in a blog post. “In one case, a malicious package had been downloaded more than 17,000 times.”

Attack Relies on Typo-Squatting 

The attack relies on so-called typo-squatting, where threat actors disguise malicious code packages with names very close to legitimate ones, including subtle naming variations and common misspellings, the researchers said. 

For instance, one of the malicious packages lurking in the NPM repository is named “umbrellaks,” an attempt to hijack developers looking for the popular document object model (DOM) framework “umbrellajs,” the ReversingLabs team added. 

What makes this supply chain reminiscent of the SolarWinds attack, the analysts pointed out, is the fact that the target isn’t the developer inadvertently using the malicious code but, rather, the target site or application further down the software supply chain.

“This attack marks a significant escalation in software supply-chain attacks,” according to the ReversingLabs malicious NPM report. “Malicious code bundled within the NPM modules is running within an unknown number of mobile and desktop applications and web pages, harvesting untold amounts of user data.”

Most of the malicious open source modules are still are still available, despite the analysts reporting their findings to NPM on July 1, they added. The report contains a list of affected packages.