Microsoft Azure developers targeted with flood of malicious npm packages

A finger pressing a padlock icon
(Image credit: Shutterstock)

More than 200 malicious npm packages were recently removed from the npm registry, security experts have confirmed.

The goal of the packages was to steal personally identifiable information (PII) from the endpoints of Microsoft Azure developers.

As per a report from The Register, security firm JFrog’s automated analysis of the repository started raising alarms about suspicious uploads earlier this week. Manual inspection has since uncovered a group of more than 200 packages, all of which were essentially malware.

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

"After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure npm scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope," security researchers Andrey Polkovnychenko and Shachar Menashe said in their analysis of the incident.

Fooling people

In an attempt to trick the developers, the attackers gave the malicious packages the same name as their non-malicious counterparts, with the @azure scope identifier missing.

"The attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package," the researchers explained. "For example, running npm install core-tracing by mistake, instead of the correct command – npm install @azure/core-tracing."

But that’s not the only way the attackers tried to fool people into downloading these malicious packages. They also added high version numbers hoping that internal npm private proxies search for newer versions of packages first.

Finally, the attackers uploaded the packages via an automated script that created a unique username for each upload, probably in hopes of avoiding common detection methods.

In total, 218 malicious packages were uploaded and were in place for two days. During that time, they were downloaded an average of 50 times each, totalling roughly 10,000 potential victims.

Via The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.