Have you ever downloaded an NPM package and thought, "It's just a normal library, it should be safe." Well, not always. Recently, security researchers discovered a total of ten fake NPM packages that secretly downloaded a program designed to take personal and system information. These bad packages influenced victims on Windows, Linux, and macOS operating systems, and virtually anyone could be affected.
• "typescriptjs" was used instead of typescript
• "deezcord.js" instead of discord.js
When a user installs a fake package, it executes a postinstall script that downloads an infostealer program without the user's knowledge. The infostealer looked for and stole the following types of information:
It's concerning, because most of us are constantly installing NPM packages, without questioning them. In one command, (if compromised) an npm install command can easily help to execute a hack.
• Look at the package names prior to installing—if it appears even slightly different—don't install.
• Don't install packages from an unknown publisher or that have very little history.
• After installing an NPM package, run an npm audit to first check the install for known issues.
• Look inside the package.json file and see what scripts it is set to run after install.
• If you are to install a package from an untrusted project or source, consider using a sandbox or virtual machine for testing.
• If you suspect that you installed a suspicious package, change your passwords and tokens.
A couple of seconds to exercise caution can save hours of cleanup later.
The next time you run an npm install, take a moment and ask yourself, "Why do I trust that package?"
Remember, an answer like "I don’t know” or “No reason" could ultimately lead to a hacker being right at home in your system. So stay vigilant, stay safe, and code conservatively.
How the Hackers Deceive Developers
The attackers used some clever strategies. They used 'typosquatting' to create package names that were almost the same as real package names. For example:• "typescriptjs" was used instead of typescript
• "deezcord.js" instead of discord.js
When a user installs a fake package, it executes a postinstall script that downloads an infostealer program without the user's knowledge. The infostealer looked for and stole the following types of information:
- Passwords and cookies from the Browser
- SSH keys and API tokens
- Crypto wallets
- System keychain login information
Why It’s a Huge Problem
This attack targeted multiple systems; therefore, regardless of if you code in Windows, Linux or macOS, you could be affected. This is the main reason why this attack is so concerning.It's concerning, because most of us are constantly installing NPM packages, without questioning them. In one command, (if compromised) an npm install command can easily help to execute a hack.
What You Can Do to Protect Yourself
First, don't panic, there are some easy things you can do:• Look at the package names prior to installing—if it appears even slightly different—don't install.
• Don't install packages from an unknown publisher or that have very little history.
• After installing an NPM package, run an npm audit to first check the install for known issues.
• Look inside the package.json file and see what scripts it is set to run after install.
• If you are to install a package from an untrusted project or source, consider using a sandbox or virtual machine for testing.
• If you suspect that you installed a suspicious package, change your passwords and tokens.
A couple of seconds to exercise caution can save hours of cleanup later.
Conclusion
This incident demonstrates how even trusted open-source systems such as NPM can have hidden dangers. Hackers know developers are prone to moving quickly and landing in a spot where they don’t check everything that gets imported into the system.The next time you run an npm install, take a moment and ask yourself, "Why do I trust that package?"
Remember, an answer like "I don’t know” or “No reason" could ultimately lead to a hacker being right at home in your system. So stay vigilant, stay safe, and code conservatively.
