Typosquat Campaign Targets Puppeteer Users: Researcher Warns of Malware in npm Packages

Phylum Research has exposed a new typosquatting campaign that targets developers using open-source packages like Puppeteer, Bignum.js, and several cryptocurrency libraries. This campaign, discovered on October 31, 2024, aims to deceive developers by publishing malicious packages with names similar to trusted libraries. By the time of reporting, Phylum’s automated detection platform identified 219 such malicious packages.

Phylum’s report reveals that this campaign uses typosquatting—a tactic where threat actors name malicious packages with slight variations of popular libraries to trick users into downloading them. For instance, two of the packages identified were named “pupeter” and “pupetier,” close enough to the legitimate Puppeteer library to cause accidental downloads. Phylum notes, “The decision to publish their malware packages under the 23.6.1 version appears to not be a coincidence either, as the most recent version of Puppeteer is 23.6.1”. By mirroring version numbers, the attackers enhance the packages’ credibility.

Once installed, these malicious packages deploy a sequence of JavaScript code that enables them to connect to an Ethereum smart contract, which stores an IP address used to fetch further malware. According to Phylum, “The fetchAndUpdateIp function fetches the string (e.g., IP address) for the given ID… Here’s how it works”.

const ipAddrFromContract = await contract.getString("0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84");
return ipAddrFromContract;

This clever use of blockchain ensures that the malware has an updated list of remote servers to download malicious executables.

Supply chain attacks like this are increasingly targeting the developer community, with typosquatting emerging as a highly effective tactic. Phylum warns that “supply chain attacks are alive and well… continually evolving, and often targeting the broad software development community with malicious software packages”. For developers, this campaign serves as a stark reminder of the importance of scrutinizing package names and checking publisher details before installation.

Related Posts:

• Malicious AWS Packages Deliver Malware Through JPEGs
• ‘Trojanized’ npm Package Targets Cryptocurrency Wallets, Steals USDT
• Cybercriminals Increasingly Target Google, Microsoft, and Amazon in Sophisticated Phishing Schemes
• Warning: Fake WinRar Websites Distributing Malware

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.