CyberSecurity news

FlagThis - #typosquatting

SC Staff@scmagazine.com //

Lazarus Group Strikes NPM with Malicious Packages - The Lazarus Group is targeting the npm ecosystem with malicious packages designed to compromise developer environments and steal credentials.
The Lazarus Group, a North Korean APT, is actively targeting developers through the npm ecosystem by publishing malicious packages. These packages are designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy backdoors. The attackers use typosquatting, mimicking legitimate library names to deceive developers into downloading the compromised versions. The packages contain BeaverTail malware and the InvisibleFerret backdoor and exhibit identical obfuscation techniques, cross-platform targeting, and command-and-control mechanisms consistent with previous Lazarus campaigns.

Six malicious npm packages have been identified, including postcss-optimizer, is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, and react-event-dependency. These packages have been collectively downloaded over 330 times and contain the BeaverTail malware, which functions as both an infostealer and a loader designed to steal login credentials, exfiltrate sensitive data, and deploy backdoors in compromised systems. The Lazarus Group also maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy.

Recommended read:
References :
  • The DefendOps Diaries: Lazarus Group's Latest Supply Chain Attacks on Developers
  • BleepingComputer: North Korean Lazarus hackers infect hundreds via npm packages
  • bsky.app: Reports on the six malicious npm packages linked to the Lazarus Group.
  • The Hacker News: The Lazarus Group, a North Korean APT, is actively targeting the npm ecosystem by publishing malicious packages that closely mimic legitimate libraries, deceiving developers into incorporating harmful code into their projects.
  • socket.dev: North Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor.
  • securityaffairs.com: Lazarus Strikes npm Again with New Wave of Malicious Packages
  • hackread.com: Lazarus Group Hid Backdoor in Fake npm Packages in Latest Attack
  • Threats | CyberScoop: Lazarus Group deceives developers with 6 new malicious npm packages
  • www.scworld.com: Malware spread by Lazarus Group via counterfeit npm packages
  • securityonline.info: Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
  • BleepingComputer: Six malicious packages have been identified on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus.
  • Security Risk Advisors: The Lazarus Group, North Korea’s notorious state-backed cyber threat actor, has infiltrated the npm ecosystem once again, deploying
  • Security Risk Advisors: Lazarus Group Deploys Malicious npm Packages to Target Developers and Exfiltrate Data
  • securityonline.info: The notorious North Korean threat actor Lazarus Group has been identified breaching Windows web servers to establish command-and-control The post appeared first on .
  • Datadog Security Labs: Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access
Jeff Burt@DevOps.com //

Typosquatting in the Go Ecosystem - A malicious package imitating BoltDB in the Go ecosystem contains a backdoor for remote code execution, exploiting the Go Module Mirror's caching mechanism.
References: ciso2ciso.com , Lobsters , bsky.app ...
A malicious package imitating the popular BoltDB module has been discovered in the Go ecosystem. This package contains a backdoor that enables remote code execution, posing a significant security risk to developers using the compromised module. The malicious package, a typosquat of BoltDB, was discovered by researchers at Socket, an application security company.

This attack exploits the Go Module Mirror's caching mechanism, allowing the malware to persist undetected despite manual code reviews. After the malware was cached by the Go Module Mirror, the git tag was strategically altered on GitHub to remove traces of malicious code and hide it from manual review. To mitigate software supply-chain threats, Socket advises developers to verify package integrity before installation, analyze dependencies for anomalies, and use security tools that inspect installed code at a deeper level.

Recommended read:
References :
  • ciso2ciso.com: Source: thehackernews.com – Author: . Cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems.
  • Lobsters: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
  • The Hacker News: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
  • bsky.app: Socket Security has discovered a malicious Go module for the BoltDB database that contains a hidden backdoor. The module is cached in the Go Module Mirror, the first attack documented making it in the the Go Module Mirror despite manual code reviews. https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence
  • ciso2ciso.com: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
  • fosstodon.org: Socket: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
  • DevOps.com: Typosquat Supply Chain Attack Targets Go Developers
  • securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s
  • securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s The post appeared first on .
  • www.infoworld.com: Malicious package found in the Go ecosystem
  • ciso2ciso.com: Malicious package found in the Go ecosystem – Source: www.infoworld.com
  • ciso2ciso.com: Source: www.infoworld.com – Author: The malicious package, a typosquat of the popular BoltDB module, is said to be among the first known exploits of the Go Module Mirror’s indefinite module caching.
  • heise online English: Typosquatting in the Go ecosystem: Fake BoltDB package discovered A malicious package in the Go ecosystem imitates BoltDB and contains a backdoor. Attackers used the caching service to spread the malware unnoticed.
  • www.heise.de: Typosquatting in the Go ecosystem: Fake BoltDB package discovered
Kirsten Doyle@Information Security Buzz //

Malicious Go Packages Distribute Malware Loader on Linux/macOS - Socket researchers uncovered a malicious campaign infiltrating the Go ecosystem with typosquatted packages that install hidden loader malware targeting Linux and macOS systems, impersonating widely used Go libraries and targeting financial-sector developers.
Socket researchers have discovered a malicious campaign infiltrating the Go ecosystem using typosquatted packages. These packages are designed to install hidden loader malware targeting Linux and macOS systems. The threat actor has published at least seven packages that impersonate widely used Go libraries.

These malicious packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor. One of the packages appears to target financial-sector developers. The typosquatted packages can execute remote code, potentially stealing data or credentials.

Recommended read:
References :
  • Information Security Buzz: Typosquatted Go Packages Distribute Malware Loader Targeting Linux and macOS
  • Anonymous ???????? :af:: Researchers have found a malicious campaign targeting Go developers with fake libraries. At least 7 typosquatted packages impersonate popular Go modules to deploy loader malware. These can execute remote code, stealing data or credentials on Linux and macOS systems.
  • socket.dev: Typosquatted Go Packages Deliver Malware Loader Targeting Linux and macOS Systems
  • The Hacker News: Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems
@github.com //

NPM Command Confusion Leads to Supply Chain Risk - A typo between similar NPM commands has led developers to install a benign 'user' package, posing a potential supply chain risk.
References: checkmarx.com , malware.news ,
A significant issue has arisen within the NPM ecosystem due to confusion between two similar commands: `npm add user` and `npm adduser`. The command `npm add user`, intended as an alias for `npm install`, has inadvertently led a large number of developers to install a package named 'user'. This error stems from the similarity in commands and the chance of a developer hitting a whitespace when quickly typing 'npm adduser', which is used to create a user in the registry. This oversight, which was pointed out in a Pull Request but ignored, underscores a concerning supply chain vulnerability that could be exploited.

This innocent looking ‘user’ package, currently a simple hello-world application, has been downloaded nearly 12 million times. The concern is that the benign package could be updated in the future to include malicious code. NPM reports 2760 dependent packages, with at least 20 added in December 2024 alone, indicating the widespread nature of this mistake. This means that a future update to the ‘user’ package would pose a risk to the thousands of developers who have inadvertently installed it and any packages that depend on it, turning a simple typo into a potential security nightmare.

Recommended read:
References :

Posts

Blogs

Research Tools