After being alerted to the threat by a user on Twitter, npm worked quickly to track down and remove the infected packages. HackTask has since been banned from using the npm repository, but developers should note the risk associated with similar infections and tactics.
The attacker used typosquatting to register packages that had names similar to popular libraries on the npm registry. According to npm’s blog, while errant package naming is often accidental, the typosquatting was intentional and malicious in this case.
Twitter user Oscar Bolmsten alerted npm to the attacking technique. The Swedish developer noted the anomaly in the crossenv package, which bears a name similar to the npm cross-env script used to set environmental variables across platforms.
Another registered package was called mongose, which included both the genuine Mongoose project and additional malevolent code, reported Bleeping Computer. The npm blog post explained that the attackers wanted to use the malicious code to hoard knowledge from deceived users.
The Scale of the Attack
The security team at npm immediately investigated the threat, tracked other errant libraries and removed 38 packages. All of HackTask’s malicious activities, which were available from July 19 to 31, have now been removed from the registry.
The largest danger came from the crossenv package. Researchers at npm reported that this package was downloaded almost 700 times during the two-week period. However, the firm also estimated that there were just 50 real installations of crossenv, and possibly fewer.
While the malicious activity has now stopped, the incident represents a real threat to developers. The errant files would have run a script named package-setup.js, according to The Register. The malicious code would have been implemented when developers ran their projects. It would have then gathered environment variables of developers and sent them to the attacker’s server at npm.hacktask.net, the Bleeping Computer article noted.
Long-Term Risks to Developers
Attackers target environmental variables because they are regularly used to offer credentials to software, npm CTO CJ Silverio told The Register. These environmental variables are used to store sensitive data points, including account names, passwords, tokens and keys for access to other applications and services. Silverio added that she is unaware of any developers suffering account compromises due to the attack.
The npm security team said it was working to resolve the current problem and related concerns. This includes a range of programmatic techniques and other approaches to detect packages with similar names, as well as improving controls to enhance overall security. According to another Bleeping Computer piece, the npm security team forced users to reset their passwords in June 2017 after discovering that 13 percent of its packages relied on frail credentials.
The company provided a list of affected packages in its blog post. Developers who might have used any of these infected packages should change their passwords immediately.