Hackers Weaponizing Typosquatted Libraries To Inject SSH Backdoors

A sophisticated attack targeting npm users has been recently uncovered by the Socket’s threat research team in a concerning development for the open-source community.

The threat actor, identified as “sanchezjosephine180,” has published six malicious npm packages designed to mimic popular libraries through typosquatting.

The malicious packages are:-

• babelcl
• chokader
• streamserch
• sss2h
• npmrunnall
• node-pyt

These malicious packages are impersonating widely-used libraries such as “babel-cli,” “chokidar,” “streamsearch,” “ssh2,” “npm-run-all,” and “node-pty.”

Researchers at Socket observed all these legitimate libraries collectively boast tens of millions of downloads, making them prime targets for exploitation.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Attack Vector

The attacker’s strategy involves exploiting common typing errors and abusing the postinstall script to distribute malicious code.

Upon installation, the script executes node app.js followed by installing the legitimate package, cleverly masking its true intentions.

The malicious packages inject an SSH backdoor into Linux systems, granting unauthorized access to the threat actor.

At the time of discovery, these packages had already been downloaded over 700 times, posing a significant risk to developers and organizations.

Unauthorized SSH access can have severe consequences:-

• Undetected system infiltration
• Bypassing of security measures
• Network-wide compromise
• Potential for espionage and data theft
• Gateway for ransomware attacks

Interestingly, a seventh package named “parimiko” was also identified. While currently benign, it mimics the popular Python SSH library “paramiko,” potentially setting the stage for future malicious updates.

To safeguard against such threats, developers and organizations should:-

1. Double-check package names before installation
2. Implement strict version control
3. Regularly audit dependencies
4. Use security tools like Socket’s GitHub app and CLI tool

These measures can help detect and prevent malicious packages from infiltrating projects and compromising systems. As the open-source ecosystem continues to grow, so does the potential attack surface.

However, security analysts urged that the developer community must remain proactive in adopting security measures and staying informed about emerging threats to maintain the integrity of their projects and the broader open-source landscape.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.