Full Report
Threat actors have been observed uploading malicious typosquats of legitimate npm packages such as typescript-eslint and @types/node that have racked up thousands of downloads on the package registry. The counterfeit versions, named @typescript_eslinter/eslint and types-node, are engineered to download a trojan and retrieve second-stage payloads, respectively. "While typosquatting attacks are
Analysis Summary
# Tool/Technique: Malicious npm Typosquatting Packages (@typescript\_eslinter/eslint and types-node)
## Overview
This describes a supply chain attack targeting the npm registry using typosquatted (misspelled) packages that impersonate legitimate developer tools (`typescript-eslint` and `@types/node`). The malicious packages function as downloaders for second-stage malware, including a known trojan executable.
## Technical Details
- Type: Malware/Supply Chain Attack (Dropper/Trojan)
- Platform: Windows (Inferred from `.bat` file persistence mechanism)
- Capabilities: Downloading and executing trojans/initial access payloads, achieving persistence via Windows Startup folder modification.
- First Seen: November/October 2024 (Context of detection/analysis)
## MITRE ATT&CK Mapping
- T1588 - Obtain Capabilities
- T1588.002 - Tool
- T1190 - Exploit Public-Facing Application (Initial compromise vector via registry)
- T1037 - Boot or Logon Autostart Execution
- T1037.001 - Registry Run Keys / Startup Folder
- T1027 - Obfuscated Files or Information
- T1027.004 - Software Packing
- T1105 - Inhibit System Recovery
- T1105.003 - Remote File Copy (Implied by payload retrieval)
## Functionality
### Core Capabilities
- **Impersonation:** Typosquatting legitimate, high-use packages (`@typescript_eslinter/eslint` targets `typescript-eslint`; `types-node` targets `@types/node`).
- **Payload Delivery:** Downloading trojans (in the case of `@typescript_eslinter/eslint`) or fetching scripts from Pastebin URLs to execute malware (in the case of `types-node`).
- **Execution:** The malicious component disguised as `prettier.bat` is actually a Windows executable (.exe).
### Advanced Features
- **Persistence:** The malicious executable (`prettier.bat`) is dropped into a temporary directory and added to the Windows Startup folder to ensure automatic execution upon system reboot.
- **Evasion:** The malicious JavaScript code within the npm packages used obfuscation techniques.
- **Inflated Trust:** Threat actors appear to have artificially inflated download counts to boost the perceived trustworthiness of the malicious components.
## Indicators of Compromise
- File Hashes:
- **`prettier.bat` (Masquerading as .exe Trojan/Dropper):** `ab3e8378aa31584160898d97d1ecfead2a63cd977efacec98df375fefdda3016` (SHA256 noted in context)
- File Names:
- `prettier.bat` (Actual .exe file)
- `npm.exe` (Deceptive name for the second-stage executable downloaded via `types-node`)
- Registry Keys:
- Modification to the Windows Startup folder location for persistence.
- Network Indicators:
- Pastebin URL (Used by `types-node` to fetch second-stage scripts).
- Behavioral Indicators:
- Installation of files into temporary directories.
- Adding entries to the system Startup location.
- Network connections to external URLs (like Pastebin) to download arbitrary scripts/executables immediately after installation.
## Associated Threat Actors
- Unnamed threat actors operating campaigns across multiple registries (npm, VSCode Marketplace).
## Detection Methods
- **Signature-based detection:** Known hashes for the identified trojan/dropper (`prettier.bat`).
- **Behavioral detection:** Monitoring for `npm` packages creating executable files and modifying the Windows Startup directory. Monitoring for JavaScript code executing PowerShell or cmd processes that download external resources from suspicious URLs (like Pastebin).
- **YARA rules:** Potentially rule creation targeting the specific obfuscated JavaScript patterns found in the malicious libraries.
## Mitigation Strategies
- **Supply Chain Vigilance:** Thoroughly vet third-party packages from open-source registries, especially when dependencies have low download counts or newly created associated accounts/repositories.
- **Dependency Scanning:** Integrate Software Composition Analysis (SCA) tools capable of identifying suspicious behaviors or known malicious patterns within dependencies before installation.
- **IDE Security:** Treat IDE extensions (VSCode) as high-risk components, as they provide deep access to the development lifecycle.
- **Endpoint Protection:** Ensure robust EDR/Antivirus solutions are in place to flag known malware hashes (like the identified trojan executable) and block suspicious startup modifications.
## Related Tools/Techniques
- Typosquatting attacks against other registries (e.g., PyPI, RubyGems).
- Malicious VSCode Extensions (mentioned in the article: *EVM.Blockchain-Toolkit*, *ZoomVideoCommunications.Zoom*, etc.).
- JavaScript downloaders/droppers utilizing obfuscation.