Malicious npm Package Mimics ESLint Plugin, Steals Sensitive Data

A recent report by the Socket Research Team uncovers a sophisticated typosquatting attack targeting developers using the popular @typescript-eslint/eslint-plugin.

The legitimate @typescript-eslint/eslint-plugin is a cornerstone of TypeScript development, having over 3 million weekly downloads and significant adoption in CI/CD pipelines. Its popularity made it an attractive target for attackers who published a malicious package, @typescript_eslinter/eslint, on November 17, 2023. This package mimicked the legitimate plugin’s name with subtle changes to deceive developers.

“Weaponizing trust in the open source ecosystem is the bread and butter of threat actors who leverage typosquatting to infiltrate development environments and gain unauthorized access,” the report notes. The attackers released 43 versions of the package within two weeks, a strategy aimed at evading detection by automated tools. Although the malicious package was removed from npm on December 1, its impact was far-reaching.

The malicious package implemented a multi-faceted attack chain:

1. Clipboard and Keyboard Monitoring: By employing the clipboard-event and node-global-key-listener libraries, the malware monitored clipboard activity and logged global keyboard inputs. This allowed attackers to capture sensitive data such as passwords, API keys, and credentials.
2. Persistence Mechanisms: The package ensured persistent execution by copying itself to startup folders on Windows systems. This tactic ensured the malware ran on every system reboot, embedding it deeply into affected environments.
3. Real-Time Communication: A WebSocket server enabled dynamic exploitation, allowing attackers to execute commands and exfiltrate sensitive data in real time. The server, hosted at a Finnish data center, facilitated real-time exploitation of compromised systems.
4. Secondary Payloads: A related package, @typescript_eslinter/prettier, remains active on npm and enhances the attack’s functionality, posing an ongoing threat.
5. Disabling Legitimate Tools: The malware disabled legitimate linting tools like ESLint to prevent interference with its operations, replacing trusted processes with malicious ones.

This attack exposed sensitive project data, configuration files, and credentials to malicious actors. “Beyond the immediate technical risks, the attack also erodes trust in open source repositories, undermining confidence in the tools developers rely on daily,” the report highlights. With the secondary malicious package still active on npm, the threat remains unresolved for many developers.

Related Posts:

• Beware of Search Results: Hackers Using Fake Websites to Spread Malware
• Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
• Malicious npm Packages Threaten Crypto Developers: Keylogging and Wallet Theft Revealed
• npm’s Hidden Threat: The Covert Trojan Lurking in Your Windows System
• Major npm flaw crashes Linux Systems, force users to reinstall