Malicious JavaScript Packages Exploiting Typosquatting Found on Vercel
A new threat campaign has been uncovered, targeting developers through malicious JavaScript packages disguised as legitimate ones. Researchers at Phylum uncovered the campaign which leverages typosquatting and Vercel deployments to distribute malware.
**The Exposed Threat:**
An intercepted analysis revealed a malicious package incorporated into Vercel deployments. Upon installation, the package decompresses into memory, sets itself to load on each system reboot, and establishes a connection to a constantly changing IP address. This IP address, revealed through metadata stored on the Ethereum blockchain, has been observed to vary over time.
The researchers detailed several IP addresses associated with the malware, including:
On 2024-09-23 00:55:23Z it was hxxp://localhost:3001
From 2024-09-24 06:18:11Z it was hxxp://45.125.67[.]172:1228
From 2024-10-21 05:01:35Z it was hxxp://45.125.67[.]172:1337
From 2024-10-22 14:54:23Z it was hxxp://193.233[.]201.21:3001
From 2024-10-26 17:44:23Z it is hxxp://194.53.54[.]188:3001
The malware’s activities include fetching additional JavaScript files and transmitting sensitive system information to the controller server. This stolen data encompasses details like the user’s GPU, CPU, memory capacity, username, and operating system version.
**The Power of Typosquatting:**
This campaign highlights the pernicious application of typosquatting in package management. Developers, in their haste, might accidentally download a package with a name subtly different from the intended one, leading to the installation of malicious code. This tactic has been employed in various phishing and malware schemes for years, but its adaptation to software package manipulation presents a new and significant danger to developers.
**Protection Against Typosquatting:**
Developers must exercise extreme caution when installing packages. Thoroughly verify package names against official sources, scrutinize repositories for suspicious activity, and employ tools that scan for potential vulnerabilities.
Stay vigilant and protect your projects from typosquatting attacks. The Phylum blog post provides valuable insights and lists the specific names, IP addresses, and cryptographic hashes associated with these malicious packages, helping developers identify and avoid them.