‘Package confusion’ attack against NPM used to trick developers into downloading malware

Application testing company Checkmarx has warned developers to be on the lookout for malicious NPM packages, after discovering a new attack that employs typosquatting to impersonate two popular packages.

Part of a much larger campaign against NPM, in a new twist, the malicious package eschews traditional command & control (C2) by using the Ethereum blockchain to hold the addresses of its malicious payloads.

The campaign targets two popular NPM (Node Package Manager) packages used as part of the Jest JavaScript testing framework, “fetch-mock-jest” and “Jest-Fetch-Mock”, using a malicious package with a similar-looking name, “jest-fet-mock”.

The attacker’s assumption is that at least some developers will be in too much of a hurry to notice the misspelling, and will download one of the malicious packages.

But in what appears to be a first for attacks against NPM, the malicious package executes a routine that downloads a malware payload after receiving the server address via a smart contract published on the Ethereum blockchain. Using blockchains to obscure C2 is not new, but offers the attackers important advantages.

“By using the blockchain in this way, the attackers gain two key advantages: their infrastructure becomes virtually impossible to take down due to the blockchain’s immutable nature, and the decentralized architecture makes it extremely difficult to block these communications,” noted the Checkmarx researcher, Yehuda Gelb, in his analysis.

In other words, there is no single address, IP, or server to block. That said, there are downsides to the technique that are not mentioned by Checkmarx, including the fact that blockchain communication is slow, as well as public. The blockchains can’t be edited, or blocked easily, but they can be tracked once their use as part of malware C2 has been uncovered. 

Despite past predictions that the technique would take off, this is probably why using blockchains for C2 remains the experimental preserve of specialist malware.

Package confusion

Perhaps the more significant part of the story is that the technique is being used to target testing tools distributed via NPM, the largest open source JavaScript registry. Targeting testing tools is another way to get inside the privileged developer testing environments, and any deeper access to the CI/CD pipelines that they reveal.

NPM has become a repeated target for attackers looking to penetrate supply chains, something documented by news sites such as CSO Online, as well as by Checkmarx itself.

On that score, “jest-fet-mock” is only one example from a much larger NPM package confusion campaign documented separately by security companies Phylum and Socket.

According to Phylum, this involved at least 287 malware packages, all deploying the typosquatting technique to target developers downloading a range of libraries including Puppeteer and Bignum.js, as well as cryptocurrencies.

The question is, what can developers do to protect themselves, given that malicious packages can crop up very suddenly and be hard to spot? As Gelb of Checkmarx said, “The cross-platform nature of the malware, coupled with the fact that no security vendors have flagged these files as malicious on VirusTotal at the time of writing, makes this an actively dangerous threat to development environments.”

It gets worse

Beyond typosquatting and package impersonation lie even darker possibilities. In September, a university research study showed how AI LLM coding tools could be used to conduct “package hallucination” attacks against developers.

An LLM might hallucinate a non-existent package, referencing it inside legitimate code. Most of the time, this would fail to compile. But if the attackers were to uncover the name of that imaginary package before this happened, they could bring it into existence, hiding dormant malware inside it.

This would be the perfect supply chain attack, with no easy mitigations even when uncovered. The idea is no theory, either: across 30 different tests, the researchers found that almost 20% of the LLM-generated code samples they looked at contained references to hallucinated packages.