NPM Malware | Breaking Cybersecurity News | The Hacker News

NuGet, PyPi, and npm ecosystems are the target of a new campaign that has resulted in over 144,000 packages being published by unknown threat actors. "The packages were part of a new attack vector, with attackers spamming the open source ecosystem with packages containing links to phishing campaigns," researchers from Checkmarx and Illustria  said  in a report published Wednesday. Of the  144,294 phishing-related packages  that were detected, 136,258 were published on NuGet, 7,824 on PyPi, and 212 on npm. The offending libraries have since been unlisted or taken down. Further analysis has revealed that the whole process was automated and that the packages were pushed over a short span of time, with a majority of the usernames following the convention "<a-z><1900-2022>." The fake packages themselves claimed to provide hacks, cheats, and free resources in an attempt to trick users into downloading them. The URLs to the rogue phishing pages were embed

Multiple campaigns that distributed trojanized and typosquatted packages on the NPM open source repository have been identified as the work of a single threat actor dubbed LofyGang . Checkmarx said it discovered 199 rogue packages totaling thousands of installations, with the group operating for over a year with the goal of stealing credit card data as well as user accounts associated with Discord Nitro, gaming, and streaming services. "LofyGang operators are seen promoting their hacking tools in hacking forums, while some of the tools are shipped with a hidden backdoor," the software security company said in a report shared with The Hacker News prior to its publication. Various pieces of the attack puzzle have already been reported by  JFrog ,  Sonatype , and  Kaspersky  (which called it LofyLife), but the latest analysis pulls the various operations together under one organizational umbrella that Checkmarx is referring to as  LofyGang . Believed to be an organized c

Wing Security finds and ranks all SaaS applications completely for free, removing unnecessary risk.

A malicious NPM package has been found masquerading as the legitimate software library for Material Tailwind, once again indicating attempts on the part of threat actors to distribute malicious code in open source software repositories. Material Tailwind is a  CSS-based framework  advertised by its maintainers as an "easy to use components library for Tailwind CSS and Material Design." "The malicious Material Tailwind npm package, while posing as a helpful development tool, has an automatic post-install script," Karlo Zanki, security researcher at ReversingLabs,  said  in a report shared with The Hacker News. This script is engineered to download a password-protected ZIP archive file that contains a Windows executable capable of running PowerShell scripts. The now-removed rogue package, named  material-tailwindcss , has been downloaded 320 times to date, all of which occurred on or after September 15, 2022. In a tactic that's becoming increasingly common,

A new large scale supply chain attack has been observed targeting Azure developers with no less than 218 malicious NPM packages with the goal of stealing personal identifiable information. "After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire  @azure NPM scope , by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope," JFrog researchers Andrey Polkovnychenko and Shachar Menashe  said  in a new report. The entire set of malicious packages was disclosed to the NPM maintainers roughly two days after they were published earlier this week, leading to their quick removal, but not before each of the packages were downloaded around 50 times on average. The attack refers to what's called typosquatting, which takes place when bad actors push rogue packages with names mimicking legitimate libraries to a public software registry such

Another batch of 25 malicious JavaScript libraries have made their way to the official NPM package registry with the goal of stealing Discord tokens and environment variables from compromised systems, more than two months after  17 similar packages  were taken down. The libraries in question leveraged typosquatting techniques and masqueraded as other legitimate packages such as colors.js, crypto-js, discord.js, marked, and  noblox.js , DevOps security firm JFrog said, attributing the packages as the work of "novice malware authors." The complete list of packages is below – node-colors-sync (Discord token stealer) color-self (Discord token stealer) color-self-2 (Discord token stealer) wafer-text (Environment variable stealer) wafer-countdown (Environment variable stealer) wafer-template (Environment variable stealer) wafer-darla (Environment variable stealer) lemaaa (Discord token stealer) adv-discord-utility (Discord token stealer) tools-for-discord (Discord t

Three JavaScript libraries uploaded to the official NPM package repository have been unmasked as crypto-mining malware, once again demonstrating how open-source software package repositories are becoming a lucrative target for executing an array of attacks on Windows, macOS, and Linux systems. The malicious packages in question — named  okhsa ,  klow , and  klown  — were published by the same developer and falsely claimed to be JavaScript-based user-agent string parsers designed to extract hardware specifics from the " User-Agent " HTTP header. But unbeknownst to the victims who imported them, the author hid cryptocurrency mining malware inside the libraries. The bad actor's NPM account has since been deactivated, and all the three libraries, each of which were downloaded 112, 4, and 65 times respectively, have been removed from the repository as of October 15, 2021. Attacks involving the three libraries worked by detecting the current operating system, before procee