If You Are A Developer, Here this!

Research has recently identified 10 malicious packages published on the official npm registry (Node Package Manager). The identified npm packages were found to be typo squatted versions of legitimate libraries.

Typosquatting is a technique where attackers create malicious packages with names similar to popular libraries, hoping that developers will accidentally install them due to misspellings or slight variations. Once installed, these packages can harvest sensitive credentials, including tokens and passwords, from developers' environments. meaning their names closely mimic legitimate, popular development tools. (e.g., react-cookie instead of react-cookie), they unknowingly download the malicious version.

This zero-permission attack silently executes a credential-harvesting payload across Windows, macOS, and Linux systems.

Targeted Platforms

The malicious packages affect developers across all major operating systems: Windows, macOS, and Linux.

Attack Stages  

1. Typosquatting: Adversary published packages with names resembling popular libraries (e.g., deezcord.js, dizcordjs, typescriptjs) to trick developers into installing them.
2. Auto-execution: Each package defined a post install script that spawns a new terminal and     runs an obfuscated JavaScript payload so the malicious activity appears separate from the install command.
3. Social  engineering: The payload shows a fake CAPTCHA in the terminal to look legitimate and to keep users from noticing the immediate download  activity.
4. Payload delivery: After IP fingerprinting, the package downloads a PyInstaller-packed binary (data-extracter) tailored to the OS  (Windows/macOS/Linux) which harvests credentials and sends them to     attacker servers.

Impact

The consequences of installing these malicious packages can be severe

• Credential     Theft: Attackers can gain access to sensitive information, including     API tokens and passwords, potentially leading to unauthorized access to     critical systems and data breaches.
• Reputation     Damage: Organizations may suffer reputational harm due to compromised     accounts and data breaches resulting from the use of these malicious     packages.
• Financial     Loss: The fallout from credential theft can lead to significant     financial losses, including recovery costs and potential fines.

Known malicious NPM packages (typosquats)

• typescriptjs (mimics TypeScript)
• deezcord.js, dizcordjs, dezcord.js (mimic discord.js)
• etherdjs, ethesjs, ethetsjs (mimic ethers.js)
• nodemonjs (mimics nodemon)
• react-router-dom.js (mimics react-router-dom)
• zustand.js  (mimics zustand)
      Source: Socket research.

Recommendation

1.     Update and Patch Regularly

• Keep development tools, npm packages, and Node.js versions up to date.
• Remove or replace any deprecated or unmaintained dependencies from projects.

2.     Use Trusted Sources Only

• Install packages only from official or verified sources (e.g., npmjs.com     with publisher verification).
• Double-check package names ,avoid typos and look for verified author badges.

3.     Implement Security Controls in CI/CD

• Set npm config set ignore-scripts true to prevent automatic execution of postinstall scripts in build pipelines.
• Use Software Composition Analysis (SCA) tools to detect typosquatting and malicious     dependencies before deployment.

4.     Limit Developer and System Privileges

• Avoid storing credentials, tokens, or SSH keys on developer endpoints.
• Run development in sandboxed or containerized environments with minimal access to production resources.

5.     Monitor and Detect Suspicious Activity

• Track abnormal terminal launches or external connections immediately following npm installs.
• Use EDR/SIEM rules to alert on traffic to known malicious IPs and sudden binary downloads.

6.     Educate Development Teams

• Conduct awareness sessions on supply-chain attacks and safe package installation practices.
• Encourage developers to review package manifests and lockfiles before installing.

7.     Adopt Zero-Trust for Software Supply Chains

• Require code signing and verified package sources.
• Implement continuous validation of third-party code and dependencies.