The legitimate ESLint packages on the npmjs.com registry are called “typescript-eslint” and “@typescript-eslint/eslint-plugin.” This has unscrupulous actors publishing a typosquat named “@typescript_eslinter/eslint” that very closely resembles the names of the real libraries, but is up to no good. The counterfeit component has been downloaded thousands of times. Similarly, attacks impersonated another popular npm package “@types/node” with its counterfeit version having scored 6,765 weekly downloads with 20,502 downloads over the course of its lifetime.

Sonatype’s 2024 Open Source Malware report highlights that 98.5% of all open source malware discovered by us was published in the npmjs.com registry, which remains a prominent choice among threat actors looking to push their malicious artifacts downstream to millions.

Earlier this month, Sonatype discovered malicious typosquats that very closely impersonate the legitimate npm libraries, Typescript’s ESLint, and @types/node. These counterfeit components, listed below, have been downloaded thousands of times.

• types-node – 20,502 total downloads. Tracked as sonatype-2024-013242

• @typescript_eslinter/eslint – 3,030 total downloads. Tracked as sonatype-2024-013026

The counterfeit versions were analyzed by Sonatype security researchers Jeff Thornhill and Ali ElShakankiry.

While typosquatting attacks are hardly new, the effort spent by nefarious actors on these two libraries to pass them off as legitimate is noteworthy. Furthermore, the high download counts for packages like “types-node” are signs that point to both some developers possibly falling for these typosquats, and threat actors artificially inflating these counts to boost the trustworthiness of their malicious components:

Published by the npm author account ~typescript_eslinter—a misleading username, the fake ES Lint package contains metadata, such as links to GitHub repository that further tout this component as trustworthy.

The GitHub repository contains much the same files as the counterfeit npm component. Another tactic, the attacker has employed is publishing a fake “Prettier” package called, @typescript_eslinter/prettier. The fake (Read more...)