Azure developers targeted in a large supply chain attack
Over 200 hundred malicious NPM packages were crafted to steal developers’ personal identifiable information (PII).
Security researchers at JFrog say they have identified a large-scale supply chain attack explicitly aimed at Azure developers.
Azure is a cloud computing service operated by Microsoft. Developers writing code for the Azure cloud environment often use NPM, a public software registry.
JFrog researchers noted automated alerts on a set of packages in the NPM registry. Manual inspection revealed a massive increase in infected packages.
“After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure npm scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope,” said JFrog’s researchers.
According to their investigation, the malicious payload of said packages were PII stealers. Researchers say they informed NPM maintainers about the issue, and the malicious packages were removed.
However, the report’s authors say that, on average, malicious packages were downloaded 50 times each. In total, at least 218 malicious packages were identified.
How did they do it?
Researchers identified the attack as ‘typosquatting,’ where attackers create malicious packages with the same name as an existing Azure scope package, minus the scop name.
“The attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package. For example, running npm install core-tracing by mistake, instead of the correct command – npm install @azure/core-tracing,” reports’ authors say.
Simultaneously, threat actors tried to carry out a ‘dependency confusion attack.’ All malicious packages were given a high version number to trick developers into believing the packages were legitimately updated versions.
An analysis of the malicious payload showed that threat actors aimed to collect usernames, home directory, working directory, IP addresses, and other information.
Researchers suggest protecting NPM packages with a CAPTCHA mechanism to prevent users from creating malicious packages en masse.
“Due to the meteoric rise of supply chain attacks, especially through the NPM and PyPI package repositories, it seems that more scrutiny and mitigations should be added,” researchers claim.
More from Cybernews:
Subscribe to our newsletter