Recent investigations have uncovered a sophisticated cybersecurity threat targeting developers through counterfeit npm packages and Visual Studio Code extensions. Security researchers at Sonatype have identified malicious typosquats of popular packages like typescript-eslint and @types/node, which have accumulated thousands of downloads.
The fraudulent packages, @typescript_eslinter/eslint and types-node, are designed to deploy trojans and download secondary malicious payloads. These packages utilize sophisticated techniques to appear legitimate, including creating fake GitHub repositories and artificially inflating download counts to enhance credibility.
Key Findings:
– @typescript_eslinter/eslint package contains a malicious “prettier.bat” file that installs itself in the Windows Startup folder
– The types-node package connects to Pastebin to retrieve harmful scripts
– Multiple malicious VSCode extensions were discovered, initially targeting cryptocurrency developers before shifting focus to Zoom application impersonation
The compromised VSCode extensions include:
– EVM.Blockchain-Toolkit
– VoiceMod.VoiceMod
– Various Zoom-related extensions
– Multiple Solidity/Ethereum-themed extensions
Security researchers emphasize that these attacks demonstrate increasing sophistication in supply chain targeting. The malicious code is heavily obfuscated, making detection more challenging. This campaign highlights the critical importance of verification when downloading development tools and the need for enhanced security measures in software registries.
Developers are advised to exercise extreme caution when installing packages and extensions, particularly verifying the authenticity of sources to prevent potential security breaches in development environments.