![[The AI Show Episode 149]: Google I/O, Claude 4, White Collar Jobs Automated in 5 Years, Jony Ive Joins OpenAI, and AI’s Impact on the Environment](https://www.marketingaiinstitute.com/hubfs/ep%20149%20cover.png)
_Illia_Uriadnikov_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![PSA: Spotify facing widespread outage [U: Fixed]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2023/06/spotify-logo-2.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=logo}
![Apple Turned Down Musk's $5B Starlink Deal — Now the Consequences Are Mounting [Report]](https://www.iclarified.com/images/news/97432/97432/97432-640.jpg)
![WhatsApp Finally Launches iPad App [Download]](https://www.iclarified.com/images/news/97435/97435/97435-640.jpg)
![T-Mobile, Verizon and AT&T under fire for lack of transparency on surveillance [UPDATED]](https://m-cdn.phonearena.com/images/article/170786-two/T-Mobile-Verizon-and-AT-T-under-fire-for-lack-of-transparency-on-surveillance-UPDATED.jpg?#)
NPM users warned dozens of malicious packages aim to steal host and network data
A total of 60 packages were recently removed from NPM.
- Socket found 60 malicious NPM packages
- The malware spoofed legitimate packages
- It was capable of exfiltrating sensitive data
Cybersecurity researchers Socket have warned of multiple malicious packages hosted on NPM, stealing sensitive user data and relaying it to the attackers.
In a blog post, Socket said it identified 60 packages on NPM, which were uploaded from May 12 onward, using three separate accounts. The packages contained a post-install script that runs during ‘npm install’ and exfiltrates hostnames, internal IP addresses, user home directories, current working directories, usernames, and system DNS servers.
The script also checks for hostnames related to cloud providers, and reverse DNS strings, to make sure it’s not running in a sandbox.
While theoretically possible, Socket said the packages did not deliver additional malware, or escalate privileges. Also, no persistence mechanisms were spotted, either.
Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.
It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.
Preferred partner (What does this mean?)View Deal
A new spin on old tricks
Apparently, this was a typical typosquatting attack.
The names of the packages were similar to other, legitimate ones, such as “flipper-plugins”, “react-xterm2”, or “hermes-inspector-msggen”. Based on the names, the researchers surmised that the attackers targeted CI/CD pipelines.
Before being pulled from the repository, the packages were downloaded roughly 3,000 times.
The complete list of the 60 malicious packages can be found on this link. Those who have downloaded any of these are advised to remove them immediately and then run a full system scan. They should also rotate key credentials and activate 2FA where possible.
Socket discovered a separate campaign, also on NPM, and also employing the typosquatting technique. This one, however, distributes eight malicious packages that can delete files, corrupt data, and brick entire systems. They’ve been present on NPM for roughly two years, it was said, and during this time, they managed to amass 6,200 downloads.
Platforms such as NPM or PyPI are constantly targeted by cybercriminals who use it to try and compromise software developers working on open-source projects.
Via BleepingComputer
You might also like
- YouTubers targeted by blackmail campaign to promote malware on their channels
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
