Any app using a malicious code block could be serving up data theft to its users (as in this particular case), or other threats like cryptojacking, botnet delivery and more.
Pazuru azuattack software#
Npm is the most oft-downloaded JavaScript package repository used by developers to build web applications, and as such, has been increasingly targeted by malicious actors to carry out software supply-chain attacks. Unfortunately, while JFrog reported the packages for removal from npm itself, developers could have pulled in the malicious code to any number of applications that are still threatening Azure users. Npm: Ripe for Software Supply-Chain Attacks
Pazuru azuattack install#
For example, running npm install core-tracing by mistake, instead of the correct command – npm install attacker also tried to hide the fact that all of the malicious packages were uploaded by the same author, “by creating a unique user (with a randomly-generated name) per each malicious package uploaded,” according to JFrog. JFrog found that besides the scope, other popular package groups were also targeted, including and researchers added, “The attacker is relying on the fact that some developers may erroneously omit the prefix when installing a package. Npm scopes are a way of grouping related packages together. “The attacker simply creates a new (malicious) package with the same name as an existing scope package, but drops the scope name.” “It became apparent that this was a targeted attack against the entire npm scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope,” researchers said in a Wednesday posting. In this case, the cyberattackers were pretending to offer a key set of existing, legitimate packages for Azure. An example of typosquatting would be using “(the second “o” is actually a zero) to lure in victims to a watering hole – obviously trying to masquerade as the ubiquitous search engine.
Typosquatting refers to the practice of naming a malicious copycat file, package, web address and so on with a name that is so similar to an existing legitimate offering that the casual observer might not notice the difference. That’s according to the JFrog Security Research team, which said that the set of packages appeared earlier this week and steadily grew since then, from about 50 packages to more than 200. Researchers have found hundreds of malicious packages in the npm repository of open-source JavaScript code, designed to steal personally identifiable information (PII) in a large-scale typosquatting attack against Microsoft Azure cloud users.