Typosquat Campaign Targets Puppeteer Users: Researcher Warns of Malware in npm Packages
Phylum Research has exposed a new typosquatting campaign that targets developers using open-source packages like Puppeteer, Bignum.js, and several cryptocurrency libraries. This campaign, discovered on October 31, 2024, aims to deceive developers by publishing malicious packages with names similar to trusted libraries. By the time of reporting, Phylum’s automated detection platform identified 219 such malicious packages.
Phylum’s report reveals that this campaign uses typosquatting—a tactic where threat actors name malicious packages with slight variations of popular libraries to trick users into downloading them. For instance, two of the packages identified were named “pupeter” and “pupetier,” close enough to the legitimate Puppeteer library to cause accidental downloads. Phylum notes, “The decision to publish their malware packages under the 23.6.1 version appears to not be a coincidence either, as the most recent version of Puppeteer is 23.6.1”. By mirroring version numbers, the attackers enhance the packages’ credibility.
Once installed, these malicious packages deploy a sequence of JavaScript code that enables them to connect to an Ethereum smart contract, which stores an IP address used to fetch further malware. According to Phylum, “The fetchAndUpdateIp function fetches the string (e.g., IP address) for the given ID… Here’s how it works”.
This clever use of blockchain ensures that the malware has an updated list of remote servers to download malicious executables.
Supply chain attacks like this are increasingly targeting the developer community, with typosquatting emerging as a highly effective tactic. Phylum warns that “supply chain attacks are alive and well… continually evolving, and often targeting the broad software development community with malicious software packages”. For developers, this campaign serves as a stark reminder of the importance of scrutinizing package names and checking publisher details before installation.
