Hundreds of widely used npm packages have been spoofed to target developers with credential-stealing malware as part of an ongoing typosquatting campaign that facilitates command-and-control via Ethereum smart contracts, reports The Register.
Typosquatted packages for Puppeteer, Bignum.js, and 285 other libraries have been leveraged by threat actors to enable malware compromise and persistent machine access, according to an analysis from Phylum. Popular git hooks library husky was also discovered by Socket researchers to have been typosquatted as part of the campaign, with numerous other malware-laced npm packages using the same attack chain deployed within a 24-hour period. Another analysis by Checkmarx researchers revealed similar C2 infrastructure used by the typosquatted package jest-fet-mock that spoofed the fetch-mock-jst and Jest-Fetch-Mock testing utilities for JavaScript. "Given that the legitimate packages are primarily used in development environments where developers typically have elevated system privileges, and are often integrated into CI/CD pipelines, we believe this attack specifically targets development infrastructure through the compromise of testing environments," said Checkmarx researcher Yehuda Gelb.