Malware, Threat Intelligence

Ongoing npm malware campaign involves Ethereum smart contracts

Share
Privacy concept: pixelated words Malware on digital background, 3d render

Hundreds of widely used npm packages have been spoofed to target developers with credential-stealing malware as part of an ongoing typosquatting campaign that facilitates command-and-control via Ethereum smart contracts, reports The Register.

Typosquatted packages for Puppeteer, Bignum.js, and 285 other libraries have been leveraged by threat actors to enable malware compromise and persistent machine access, according to an analysis from Phylum. Popular git hooks library husky was also discovered by Socket researchers to have been typosquatted as part of the campaign, with numerous other malware-laced npm packages using the same attack chain deployed within a 24-hour period. Another analysis by Checkmarx researchers revealed similar C2 infrastructure used by the typosquatted package jest-fet-mock that spoofed the fetch-mock-jst and Jest-Fetch-Mock testing utilities for JavaScript. "Given that the legitimate packages are primarily used in development environments where developers typically have elevated system privileges, and are often integrated into CI/CD pipelines, we believe this attack specifically targets development infrastructure through the compromise of testing environments," said Checkmarx researcher Yehuda Gelb.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.