Microsoft Azure developers targeted by 200-plus data-stealing npm packages

Another day, another attack on the software supply chain

A group of more than 200 malicious npm packages targeting developers who use Microsoft Azure has been removed two days after they were made available to the public.

Security firm JFrog on Wednesday said that earlier this week its automated analysis system began raising the alarm about dubious uploads to the npm Registry, the most popular public source of software libraries for the JavaScript ecosystem. This group of packages grew from about 50 to at least 200 by March 21.

"After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure npm scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope," observed security researchers Andrey Polkovnychenko and Shachar Menashe in a write-up. "Currently, the observed malicious payload of these packages were PII (Personally identifiable information) stealers."

For npm – a command line tool for interacting with the npm Registry – scope serves to associate software packages with the name of an individual or organization. Packages scoped for use with Microsoft Azure append the descriptive package name (e.g. core-tracing) to the scope identifier "@azure" to create package identifiers like "@azure/core-tracing". This makes it easier to search for Azure-relevant npm packages and easier for organizations to manage code.

The threat actor attempting this software supply-chain attack created at least 218 packages and gave them names identical to the @azure scoped packages but without the @azure portion of the name. In doing so, the attacker hoped to benefit from user error.

"The attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package," explain Polkovnychenko and Menashe. "For example, running npm install core-tracing by mistake, instead of the correct command – npm install @azure/core-tracing."

In addition to tailoring package names for typosquatting, the attacker appears to have been trying to facilitate a dependency confusion attack. This involves using high version numbers (e.g. 99.10.9) in the hope that internal npm private proxies – set up for fetching code from an internal registry – are configured to look for new versions of existing packages first from the public npm Registry before falling back to the local registry.

Polkovnychenko and Menashe speculate that the attacker may have been hoping to compromise the accounts of engineers working on Azure code within Microsoft as well as developers building software on Redmond's cloud.

The attacker further tried to avoid detection by using an upload script that generated a unique username for each of the uploaded packages. That particular deception doesn't count for much, since there are many other metrics that also get considered when attempting to programmatically assess whether an npm package is malicious.

The recent Socket service, for example, looks for anomalies related to install scripts, licenses, README documentation, significant code changes, network access, and unusual versioning, among other things, to spot suspect packages. JFrog offers a set of free npm scanning tools, too.

According to Polkovnychenko and Menashe, the supply-chain attack managed on average about 50 downloads for each of the 218 malicious packages in the two days it operated prior to being disrupted. That's potentially as many as 10,900 victims.

The two security researchers argue that the surge in software supply-chain attacks through npm, PyPI, and other software package registries demands additional security measures.

"For example, adding a CAPTCHA mechanism on npm user creation would not allow attackers to easily create an arbitrary amount of users from which malicious packages could be uploaded, making attack identification easier (as well as enabling blocking of packages based on heuristics on the uploading account)," they suggest.

"In addition to that, the need for automatic package filtering as part of a secure software curation process, based on either SAST [static application security testing] or DAST [dynamic application security testing] techniques (or preferably – both), is likely inevitable." ®

Broader topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. 

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022