JFrog security team has recently identified hundreds of malicious packages which are most likely created to target Azure developers. The report says that precisely there are 217 packages listed in the list of malicious packages aimed to steal PII (Personal Identifiable Information) information such as user names, home directories, IP addresses, and DNS configurations of the victim systems. It is recommended to know how to protect your Azure development environment from these malicious npm packages.
Table of Contents
Victims Of Malicious npm Packages:
JFrog team says that after manual inspection of these packages, they found that this was a targeted attack against all npm developers who use packages under @azure, @azure-rest, @azure-tests, @azure-tools, and @cadl-lang scope.
“After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure npm scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope.”
How Attackers Delivered Malicious npm Packages?
Attackers used the typosquatting attack method to perform the attack. Under this method, attackers simply create a new (malicious) package with the same name as an existing @azure scope package without the scope name. Moreover, massive downloads of this set of legitimate packages eased the attacker’s task of dropping malicious packages on victim systems.
In addition to the typosquatting infection method, extremely high version numbers have been used in the malicious packages, indicative of a dependency confusion attack. “A possible conjecture is that the attacker tried to target developers and machines running from internal Microsoft/Azure networks and the typosquatting-based targeting of regular npm users. As mentioned, we did not pursue research on this attack vector and as such this is just a conjecture.”
Example:
@azure/core-tracing is the legitimate package.
core-tracing is the malicious package.
Moreover, attacker might have used an automatic scripts to create multiple user accounts to use them uploading malicious packages to hide the proof of origin.
List Of Identified Malicious npm Packages:
This list consists of a total of 217 malicious npm packages identified so far. Please visit this page for new updates.
| agrifood-farming | arm-managementgroups | cadl-providerhub |
| ai-anomaly-detector | arm-managementpartner | cadl-providerhub-controller |
| ai-document-translator | arm-maps | cadl-providerhub-templates-contoso |
| arm-advisor | arm-mariadb | cadl-samples |
| arm-analysisservices | arm-marketplaceordering | codemodel |
| arm-apimanagement | arm-mediaservices | communication-chat |
| arm-appconfiguration | arm-migrate | communication-common |
| arm-appinsights | arm-mixedreality | communication-identity |
| arm-appplatform | arm-mobilenetwork | communication-network-traversal |
| arm-appservice | arm-monitor | communication-phone-numbers |
| arm-attestation | arm-msi | communication-short-codes |
| arm-authorization | arm-mysql | communication-sms |
| arm-avs | arm-netapp | confidential-ledger |
| arm-azurestack | arm-network | core-amqp |
| arm-azurestackhci | arm-notificationhubs | core-asynciterator-polyfill |
| arm-batch | arm-oep | core-auth |
| arm-billing | arm-operationalinsights | core-client-1 |
| arm-botservice | arm-operations | core-http |
| arm-cdn | arm-orbital | core-http-compat |
| arm-changeanalysis | arm-peering | core-lro |
| arm-cognitiveservices | arm-policy | core-paging |
| arm-commerce | arm-portal | core-rest-pipeline |
| arm-commitmentplans | arm-postgresql | core-tracing |
| arm-communication | arm-postgresql-flexible | core-xml |
| arm-compute | arm-powerbidedicated | deduplication |
| arm-confluent | arm-powerbiembedded | digital-twins-core |
| arm-consumption | arm-privatedns | dll-docs |
| arm-containerinstance | arm-purview | dtdl-parser |
| arm-containerregistry | arm-quota | eslint-config-cadl |
| arm-containerservice | arm-recoveryservices | eslint-plugin-azure-sdk |
| arm-cosmosdb | arm-recoveryservices-siterecovery | eventhubs-checkpointstore-blob |
| arm-customerinsights | arm-recoveryservicesbackup | eventhubs-checkpointstore-table |
| arm-databox | arm-rediscache | extension-base |
| arm-databoxedge | arm-redisenterprisecache | helloworld123ccwq |
| arm-databricks | arm-relay | identity-cache-persistence |
| arm-datacatalog | arm-reservations | identity-vscode |
| arm-datadog | arm-resourcegraph | iot-device-update |
| arm-datafactory | arm-resourcehealth | iot-device-update-1 |
| arm-datalake-analytics | arm-resourcemover | iot-modelsrepository |
| arm-datamigration | arm-resources | keyvault-admin |
| arm-deploymentmanager | arm-resources-subscriptions | mixed-reality-authentication |
| arm-desktopvirtualization | arm-search | mixed-reality-remote-rendering |
| arm-deviceprovisioningservices | arm-security | modelerfour |
| arm-devspaces | arm-serialconsole | monitor-opentelemetry-exporter |
| arm-devtestlabs | arm-servicebus | oai2-to-oai3 |
| arm-digitaltwins | arm-servicefabric | openapi3 |
| arm-dns | arm-servicefabricmesh | opentelemetry-instrumentation-azure-sdk |
| arm-dnsresolver | arm-servicemap | pnpmfile.js |
| arm-domainservices | arm-signalr | prettier-plugin-cadl |
| arm-eventgrid | arm-sql | purview-administration |
| arm-eventhub | arm-sqlvirtualmachine | purview-catalog |
| arm-extendedlocation | arm-storage | purview-scanning |
| arm-features | arm-storagecache | quantum-jobs |
| arm-frontdoor | arm-storageimportexport | storage-blob-changefeed |
| Arm-hanaonazure | arm-storagesync | storage-file-datalake |
| arm-hdinsight | arm-storsimple1200series | storage-queue |
| arm-healthbot | arm-storsimple8000series | synapse-access-control |
| arm-healthcareapis | arm-streamanalytics | synapse-artifacts |
| arm-hybridcompute | arm-subscriptions | synapse-managed-private-endpoints |
| arm-hybridkubernetes | arm-support | synapse-monitoring |
| arm-imagebuilder | arm-synapse | synapse-spark |
| arm-iotcentral | arm-templatespecs | test-public-packages |
| arm-iothub | arm-timeseriesinsights | test-utils-perf |
| arm-keyvault | arm-trafficmanager | testing-recorder-new |
| arm-kubernetesconfiguration | arm-videoanalyzer | testmodeler |
| arm-labservices | arm-visualstudio | video-analyzer-edge |
| arm-links | arm-vmwarecloudsimple | videojs-wistia |
| arm-loadtestservice | arm-webpubsub | web-pubsub |
| arm-locks | arm-webservices | web-pubsub-express |
| arm-logic | arm-workspaces | |
| arm-machinelearningcompute | cadl-autorest | |
| arm-machinelearningexperimentation | cadl-azure-core | |
| arm-machinelearningservices | cadl-azure-resource-manager | |
| arm-managedapplications | cadl-playground |
How To Protect Your Azure Development Environment From These Malicious npm Packages?
Ensure all the packages installed are legitimate. Check the list of packages that starts with @azure, @azure-rest, @azure-tests, @azure-tools, and @cadl-lang scope. Packages you have installed for Azure development must contain these prefixes.
You can do this by running this command upon changing your current directory to the npm project you would like to test. npm list or npm ls is the command to list the installed packages. Pass this output of the npm list command to grep command to filter the output by the list of packages listed in packages.txt file. You should create a file named packages.txt with all the package names listed in it before you run this command.
npm list | grep -f packages.txtIt is always good to deploy intelligent supply chain security solutions like JFrog XRAY to prevent such attacks in feature.
We hope this post will help you know How to Protect your Azure Development Environment from these Malicious npm Packages. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270184.html