FlagThis - #typosquatting

Cybersecurity researchers have recently discovered a series of malicious packages lurking within the npm registry, a popular repository for JavaScript packages. These packages are designed to mimic the legitimate "node-telegram-bot-api," a widely-used library for creating Telegram bots. However, instead of providing bot functionalities, these rogue packages install SSH backdoors on Linux systems, granting attackers persistent, passwordless remote access. The identified malicious packages include "node-telegram-utils," "node-telegram-bots-api," and "node-telegram-util," which have accumulated around 300 downloads collectively.

The packages employ a technique known as "typosquatting," where they use names similar to the legitimate library to deceive developers into installing them. They also utilize "starjacking" by linking to the genuine library's GitHub repository, further enhancing their appearance of authenticity. Once installed on a Linux system, these malicious packages inject SSH keys into the "~/.ssh/authorized_keys" file, enabling attackers to remotely access the compromised machine. They also collect system information, including the username and external IP address, and transmit it to a remote server controlled by the attackers.

Security experts warn that simply removing the malicious packages is insufficient to eliminate the threat. The injected SSH keys provide a persistent backdoor, allowing attackers to execute code and exfiltrate data even after the packages are uninstalled. This incident highlights the growing threat of supply chain attacks targeting development ecosystems like npm, underscoring the importance of rigorous dependency auditing and vigilant monitoring to safeguard systems from malicious code and unauthorized access. The researchers at Socket recommend immediate defensive actions to combat these types of threats.


References :

• ciso2ciso.com: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
• Talkback Resources: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
• The Hacker News: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
• Talkback Resources: Talkback.sh discusses Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems [app] [net] [mal]
• ciso2ciso.com: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems – Source:thehackernews.com
• linuxsecurity.com: We Linux security administrators face a growing challenge with sophisticated supply chain attacks targeting popular development ecosystems, such as npm.
• securityonline.info: Malicious npm Packages Backdoor Telegram Bot Developers
• gbhackers.com: Malicious npm Packages Target Linux Developers with SSH Backdoor Attacks
• gbhackers.com: In a sophisticated onslaught targeting the open-source ecosystem, reports have emerged detailing several malicious npm packages that are nefariously exploiting the Telegram Bot API to install backdoors on unsuspecting developers’ Linux systems.

Classification:

• HashTags: #SupplyChainAttack #npm #SSHBackdoor
• Company: npm
• Target: Telegram Bot Developers
• Product: npm
• Feature: Typosquatting
• Malware: node-telegram-utils
• Type: Malware
• Severity: Major

The Lazarus Group, a North Korean APT, is actively targeting developers through the npm ecosystem by publishing malicious packages. These packages are designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy backdoors. The attackers use typosquatting, mimicking legitimate library names to deceive developers into downloading the compromised versions. The packages contain BeaverTail malware and the InvisibleFerret backdoor and exhibit identical obfuscation techniques, cross-platform targeting, and command-and-control mechanisms consistent with previous Lazarus campaigns.

Six malicious npm packages have been identified, including postcss-optimizer, is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, and react-event-dependency. These packages have been collectively downloaded over 330 times and contain the BeaverTail malware, which functions as both an infostealer and a loader designed to steal login credentials, exfiltrate sensitive data, and deploy backdoors in compromised systems. The Lazarus Group also maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy.


References :

• The DefendOps Diaries: Lazarus Group's Latest Supply Chain Attacks on Developers
• BleepingComputer: North Korean Lazarus hackers infect hundreds via npm packages
• bsky.app: Reports on the six malicious npm packages linked to the Lazarus Group.
• The Hacker News: The Lazarus Group, a North Korean APT, is actively targeting the npm ecosystem by publishing malicious packages that closely mimic legitimate libraries, deceiving developers into incorporating harmful code into their projects.
• socket.dev: North Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor.
• securityaffairs.com: Lazarus Strikes npm Again with New Wave of Malicious Packages
• hackread.com: Lazarus Group Hid Backdoor in Fake npm Packages in Latest Attack
• Threats | CyberScoop: Lazarus Group deceives developers with 6 new malicious npm packages
• www.scworld.com: Malware spread by Lazarus Group via counterfeit npm packages
• securityonline.info: Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
• BleepingComputer: Six malicious packages have been identified on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus.
• Security Risk Advisors: The Lazarus Group, North Korea’s notorious state-backed cyber threat actor, has infiltrated the npm ecosystem once again, deploying
• Security Risk Advisors: Lazarus Group Deploys Malicious npm Packages to Target Developers and Exfiltrate Data
• securityonline.info: The notorious North Korean threat actor Lazarus Group has been identified breaching Windows web servers to establish command-and-control The post appeared first on .
• Datadog Security Labs: Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access

Classification:

• HashTags: #supplychain #malware #npm
• Company: npm
• Target: Developers
• Attacker: Lazarus
• Product: npm packages
• Feature: supply chain compromise
• Malware: BeaverTail
• Type: Malware
• Severity: Major

Socket researchers have discovered a malicious campaign infiltrating the Go ecosystem using typosquatted packages. These packages are designed to install hidden loader malware targeting Linux and macOS systems. The threat actor has published at least seven packages that impersonate widely used Go libraries.

These malicious packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor. One of the packages appears to target financial-sector developers. The typosquatted packages can execute remote code, potentially stealing data or credentials.


References :

• Information Security Buzz: Typosquatted Go Packages Distribute Malware Loader Targeting Linux and macOS
• Anonymous ???????? :af:: Researchers have found a malicious campaign targeting Go developers with fake libraries. At least 7 typosquatted packages impersonate popular Go modules to deploy loader malware. These can execute remote code, stealing data or credentials on Linux and macOS systems.
• socket.dev: Typosquatted Go Packages Deliver Malware Loader Targeting Linux and macOS Systems
• The Hacker News: Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems

Classification:

• HashTags: #Typosquatting #Golang #Malware
• Company: Go
• Target: Go developers
• Attacker: Typosquatters
• Product: Go Packages
• Feature: Typosquatting
• Malware: Hypert
• Type: Malware
• Severity: High