The 50,000-Download Trap: How ‘ambar-src’ Typosquatting Compromised Windows, Linux, and macOS Devs

Tenable Research has uncovered a highly sophisticated, malicious npm package that amassed approximately 50,000 downloads before its removal. Dubbed “ambar-src,” this package acts as a trojan horse, deploying powerful open-source malware targeting developers across Windows, Linux, and macOS environments.

The attack relies on a classic “typosquatting” technique, specifically designed to trick developers attempting to download the highly popular “ember-source” package, which boasts over 11 million downloads.

Unlike previous supply chain attacks where legitimate packages were compromised, “ambar-src” was malicious by design and “doesn’t have any valid use cases”. The threat actor published the initial benign versions on February 13th to build false trust and accumulate almost 30,000 downloads before slipping the malicious code into a February 16th update.

The malware operates with alarming stealth. It abuses npm’s “preinstall script hook” within the package.json file. Tenable notes that “merely running ‘npm install ambar-src’ (or resolving it as a dependency) is sufficient to trigger the malicious payload,” meaning victims never even have to import or run the code themselves.

Once triggered, the preinstall script (index.js) executes a hex-encoded, OS-specific one-liner command to fetch remote payloads from the domain x-ya.ru.

• Windows Hosts: The script downloads and executes a 400kb file named “msinit.exe,” which contains encrypted shellcode that loads directly into memory.
• Linux Hosts: The malware fetches a bash script that downloads an ELF binary named “osa”. Tenable’s analysis identified this binary as a client for a Golang-based reverse shell known as “reverse_ssh”.
• macOS Hosts: The script leverages the native osascript utility to fetch a 500kb JavaScript file. This payload is identified as “Apfell,” a tool from the MythicAgents family capable of screenshot collection, Google Chrome data theft, and opening fake password prompts.

To blend in with normal corporate traffic, the malware utilizes “function.yandexcloud.ru” as a command-and-control (C2) relay after the initial infection. By using a well-known web service, the attackers make the malicious traffic look legitimate and less likely to be blocked by network security tools.

Tenable considers “ambar-src” to be a more mature variant of a similar campaign called “eslint-verify-plugin,” utilizing advanced evasion techniques like hex encoding the malicious command strings and burying them alongside legitimate code.

While npm swiftly removed the package from the registry less than five hours after the malicious version went live, the damage to affected systems is severe.

Tenable’s warning to affected organizations: “If this package is installed or running on a computer, that system must be considered fully compromised”. Administrators are urged to take immediate action. All stored secrets and keys on the affected machine must be rotated using a separate, secure computer. Crucially, merely uninstalling the npm package is insufficient, as the attackers may have already established persistent backdoor access.