The legitimate ESLint packages on the npmjs.com registry are called "typescript-eslint" and "@typescript-eslint/eslint-plugin." This has unscrupulous actors publishing a typosquat named "@typescript_eslinter/eslint" that very closely resembles the names of the real libraries, but is up to no good. The counterfeit component has been downloaded thousands of times. Similarly, attacks impersonated another popular npm package "@types/node" with its counterfeit version having scored 6,765 weekly downloads with 20,502 downloads over the course of its lifetime.
Sonatype's 2024 Open Source Malware report highlights that 98.5% of all open source malware discovered by us was published in the npmjs.com registry, which remains a prominent choice among threat actors looking to push their malicious artifacts downstream to millions.
Earlier this month, Sonatype discovered malicious typosquats that very closely impersonate the legitimate npm libraries, Typescript's ESLint, and @types/node. These counterfeit components, listed below, have been downloaded thousands of times.
- types-node - 20,502 total downloads. Tracked as sonatype-2024-013242
- @typescript_eslinter/eslint - 3,030 total downloads. Tracked as sonatype-2024-013026
The counterfeit versions were analyzed by Sonatype security researchers Jeff Thornhill and Ali ElShakankiry.
While typosquatting attacks are hardly new, the effort spent by nefarious actors on these two libraries to pass them off as legitimate is noteworthy. Furthermore, the high download counts for packages like "types-node" are signs that point to both some developers possibly falling for these typosquats, and threat actors artificially inflating these counts to boost the trustworthiness of their malicious components:
Published by the npm author account ~typescript_eslinter—a misleading username, the fake ES Lint package contains metadata, such as links to GitHub repository that further tout this component as trustworthy.
The GitHub repository contains much the same files as the counterfeit npm component. Another tactic, the attacker has employed is publishing a fake "Prettier" package called, @typescript_eslinter/prettier. The fake "prettier" package impersonates the well-known code formatter library but secretly installs the malicious "@typescript_eslinter/eslint" package as it runs.
The fake "prettier" package installs the malicious "ESLint" typosquat by the same author:
Hiding in plain sight
Both the fake npmjs package "@typescript_eslinter/eslint" and its GitHub repository contain a vague file called "prettier.bat." .BAT is an extension used by Windows batch files containing, for example, installation commands for applications, as a simple use case:
The index.js file in the "@typescript_eslinter/eslint" npm package (also available on the component's Github repository) also makes no effort to hide its functionality either. The code block from line 17 and onwards is explicitly dropping the "prettier.bat" file into a temporary AppData\Roaming directory and adding it to the list of "Startup" applications so that it runs every time your Windows system is booted:
Far from being a "batch" file though, the "prettier.bat" file is actually a Windows executable (.exe) that has previously been flagged as a trojan and dropper on VirusTotal. These trojans are often versatile, shipped with extensive capabilities from accessing Windows registry keys, to exfiltrating sensitive files and installing more malware and backdoors on the compromised system.
A test run in the ANY.RUN sandbox also confirms the executable's suspicious behavior:
Given these packages' names, a human eye might miss these, should these be quietly included as a dependency in one or more applications used by the user, leading to their environment becoming infected.
Abuses Pastebin to download stage 2 payload
The "types-node" counterfeit package takes another intermediary step. It uses very simple string reversing and base64 encoding functions to mask the URL to a Pastebin page (a "paste"). The paste further contains instructions to run a malicious executable which has been, yet again, misleadingly named as "npm.exe".
"The package downloads and executes scripts from Pastebin. This code will take an embedded npm.exe and add a Visual Basic script that runs it," states ElShakankiry. "The npm.exe is a known malicious binary."
Open source malware blocked by Sonatype Repository Firewall
This isn't the first time a stunt like this has been pulled, but it's a stark reminder of threat actors' evolving tactics and commitment to exploiting the open source ecosystem for nefarious reasons. The case highlights a pressing need for improved supply chain security measures and greater vigilance in monitoring third-party software registries developers. Organizations must prioritize security at every stage of the development process to mitigate risks associated with third-party dependencies.
Sonatype Repository Firewall and Sonatype Lifecycle stay on top of nascent attacks and vulnerabilities and provide you with detailed insights to thwart previously undetected malware, Potentially Unwanted Applications (PUAs), and vulnerable components from reaching your builds:
Malicious open source is designed to evade typical software composition analysis (SCA) scanners. However, users of Sonatype Repository Firewall can rest easy knowing that these packages would automatically be blocked from reaching their development builds and keep their software development life cycle (SDLC) hygienic.
