Numerous malicious npm packages surfaced online once again. This time, four npm packages appeared in a repository that published user data online on a GitHub page.
npm Packages Published User Data Online
Researchers from Sonatype found two malicious npm packages that published user data online. As elaborated in their blog post, these packages, after download on a victim’s device, published the data on GitHub.
In brief, they found two packages “electorn” and “loadyaml” that supposedly exploited the typosquatting technique. Describing this technique, the researchers stated,
Typosquatting packages prey on a developer or unsuspecting user to make a minor typographical error which will trick them into installing the malicious package within their environment instead of the one they had originally intended to download.
So, the attackers named the malicious packages with misspelled names of legit packages. Hence, if someone wanting to download “electron” inadvertently typed “electorn”, the malicious package would download.
Upon reaching the target device, the package would then steal the victim’s data, including IP address, geolocation, device fingerprint, and would publish them all on a GitHub page.
Both packages were uploaded by the same user “simplelive12”. They had also uploaded two other malicious packages, “lodashs” and “loadyml” earlier, but the author removed them before anyone could detect them.
Malicious Packages Removed
Upon detecting the malicious packages, Sonatype published their findings online to alert everyone.
According to the timeline they shared, the packages first appeared online on August 17, 2020. However, the author removed two of them soon after uploading.
Nonetheless, the other two persisted to catch the researchers’ attention who simultaneously alerted npm, GitHub, and publicly disclosed the details. Regarding the swift public disclosure, they clarified,
Our reason for the public disclosure centers on the fact that sensitive information of users who downloaded these packages inadvertently is already being exposed on the web and the malicious packages continue to exist on npm downloads, therefore the standard vulnerability disclosure timelines would not apply in this case.
Shortly after their report, npm removed the malicious packages. Whereas, GitHub also removed the page broadcasting the data.
In September as well, npm disclosed the existence and subsequent removal of a malicious package that stole users’ data.