The four packages where this malicious code was found were:
- electorn: 255 downloads
- lodashs: 78 downloads
- loadyaml: 48 downloads
- loadyml: 37 downloads
All four packages were developed by the same user (simplelive12) and uploaded to the npm portal in August. Two packages (lodashs, loadyml) were removed by the author shortly after Publication, but had already infected some users.
The remaining packages, electorn and loadyaml, were removed last week, on October 1, by the team security npm following a report by Sonatype, a company that monitors public package repositories as part of DevSecOps (is a set of practices that combines software development and IT functions).
According to security researcher Sonatype, Ax Sharma, the four malicious packages used a technique known as typosquatting to install.
All four had similar names to the most popular packages and were based on users making mistakes when entering the name of a popular package.
When a developer accidentally installed one of the four malicious packages, the malicious code collected the address IP of the developer, the country, the city, his username computer, the "home directory path" and the CPU model information and published this information as a new comment in the "Issues" section of a GitHub repository.
Sharma said the data will not stay on GitHub for long and will be cleared every 24 hours.
Although we may not know what the ultimate goal of this campaign was, it is very likely that we will see a reconnaissance company.
Information such as IP addresses, usernames and home directory paths can reveal whether a user works from home or from a corporate environment. Data such as the "home directory path" and its model CPU they can also help intruders to develop malware for a particular architecture.
All the intruder had to do was move on to another information in packages the Electronic and loadyaml with additional malicious code.
Developers are advised to review the project dependencies and see if they accidentally used one of the four packages.