This week in malware—400+ npm packages target Azure, Uber, Airbnb developers
This week Sonatype’s automated malware detection systems have caught upward of 400 npm packages, the majority of which include dependency confusion components and typosquats targeting Azure, Uber, and Airbnb developers.
Start of this month, we reported on a sharp uptick in open source attacks after finding over 130 npm typosquats and dozens of malicious PyPI packages. And as predicted, the attacks on open source registries are continuing to surge as the cybersecurity community from across the world is focused on battling the ongoing international crisis.
288 Azure typosquats discovered
The number of dependency confusion copycats discovered by us this week is rather gigantic; too big to list them all in this blog post, but provided here with a subset of them shown below.
All of these packages are identical in their structure and have versions like 99.0.0 or 99.0.1, typical of dependency confusion candidates.
The official Azure packages are typically published under the @azure scope (namespace) on npm. The packages found by us this week, on the other hand, either contain skeleton code or simple DNS exfiltration to obtain IP address and basic fingerprinting information of the targeted machine.
| azure-arm-labservices-samples-js-beta | azure-arm-machinelearningexperimentation-samples-js-beta | azure-arm-machinelearningexperimentation-samples-ts-beta | azure-arm-managementpartner-samples-js |
| azure-arm-mariadb-samples-js | azure-arm-mariadb-samples-ts | azure-arm-marketplaceordering-samples-js | azure-arm-marketplaceordering-samples-ts |
| azure-arm-migrate-samples-ts | azure-arm-mixedreality-samples-js | azure-arm-peering-samples-ts | azure-arm-postgresql-flexible-samples-js |
| azure-arm-powerbidedicated-samples-js | azure-arm-powerbidedicated-samples-ts | azure-arm-recoveryservicesbackup-samples-js | azure-arm-recoveryservicesbackup-samples-ts |
| azure-arm-redisenterprisecache-samples-ts | azure-arm-servicemap-samples-js-beta | azure-arm-workspaces-samples-js | azure-arm-workspaces-samples-ts |
| azure-core-tracing-samples-js | azure-core-tracing-samples-ts | azure-iot-device-update-samples-js | azure-iot-device-update-samples-ts |
Note, these packages appeared to have been posted in small batches from different npm accounts, possibly to avoid raising red flags. We also suspect these packages were auto-generated and published using a script, given the identical structure of these packages and the fact these are named after real Azure packages.
90 packages target Uber and Airbnb devs
The 90 dependency confusion packages targeting Uber and Airbnb developers are all identical in their structure—each of them typically has only one version (99.9. (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/this-week-in-malware-400-npm-packages-target-azure-uber-airbnb-developers
