Hundreds of code libraries posted to NPM try to install malware on dev machines

The IP tackle returned by a package deal Phylum analyzed was: hxxp://193.233.201[.]21:3001.

Whereas the strategy was probably supposed to hide the supply of second-stage infections, it satirically had the impact of leaving a path of earlier addresses the attackers had used up to now. The researchers defined:

An fascinating factor about storing this knowledge on the Ethereum blockchain is that Ethereum shops an immutable historical past of all values it has ever seen. Thus, we are able to see each IP tackle this menace actor has ever used.

On 2024-09-23 00:55:23Z it was hxxp://localhost:3001
From 2024-09-24 06:18:11Z it was hxxp://45.125.67[.]172:1228
From 2024-10-21 05:01:35Z it was hxxp://45.125.67[.]172:1337
From 2024-10-22 14:54:23Z it was hxxp://193.233[.]201.21:3001
From 2024-10-26 17:44:23Z it’s hxxp://194.53.54[.]188:3001

When put in, the malicious packages come within the type of a packed Vercel package. The payload runs in reminiscence, units itself to load with every reboot, and connects to the IP tackle from the ethereum contract. It then “performs a handful of requests to fetch further Javascript recordsdata after which posts system data again to the identical requesting server,” the Phylum researchers wrote. “This data consists of details about the GPU, CPU, the quantity of reminiscence on the machine, username, and OS model.”

Assaults like this one depend on typosquatting, a time period for the usage of names that carefully mimic these of respectable packages however comprise small variations, corresponding to people who would possibly happen if the package deal was inadvertently misspelled. Typosquatting has lengthy been a tactic for luring folks to malicious web sites. Over the previous 5 years, typosquatting has been embraced to trick builders into downloading malicious code libraries.

Builders ought to at all times double-check names earlier than working downloaded packages. The Phylum weblog publish gives names, IP addresses, and cryptographic hashes related to the malicious packages used on this marketing campaign.