A "large scale" attack is targeting Microsoft Azure developers through malicious npm packages. 

On Wednesday, cybersecurity researchers from JFrog said that hundreds of malicious packages have been identified, created to steal valuable personally identifiable information (PII) from developers. 

Recommends

• Best VPN services
• Best security keys
• Best antivirus software
• The fastest VPNs

According to researchers Andrey Polkovnychenko and Shachar Menashe, the repositories were first detected on March 21 and steadily grew from roughly 50 malicious npm packages to over 200 in a matter of days.

The miscreants responsible for the npm repositories have developed an automated script that targets the @azure npm scope, alongside @azure-rest, @azure-tests, @azure-tools, and @cadl-lang. 

The script is responsible for creating accounts and uploading the npm sets, which include container services, a health bot, testers, and storage packages. 

JFrog says that typosquatting has been used to try and dupe developers into downloading the files. At the time of writing, these packages contained information stealer malware. 

Typosquatting is a form of phishing in which small changes are made to an email address, file, or website address to mimic a legitimate service or content. For example, an attacker could target users of "your-company.com" by registering a domain name with "your-c0mpany.com" -- and by replacing a single letter, they hope that victims do not notice that the resource is fraudulent. 

In this case, malicious packages are created with the same name as an existing @azure scope package, but they have dropped the scope. 

The legitimate package

The malicious counterpart, missing the scope

JFrog

"The attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package," the researchers say. "For example, running npm install core-tracing by mistake, instead of the correct command -- npm install @azure/core-tracing."

Furthermore, all of the npm packages were given high version numbers, which could indicate dependency confusion attack attempts. 

"Since this set of legitimate packages is downloaded tens of millions of times each week, there is a high chance that the typosquatting attack will successfully fool some developers," JFrog added.

JFrog has provided a full list of the malicious npm packages detected so far. Npm maintainers have removed the malicious files, but Azure developers should be on the alert for further activity from this threat actor. 

See also

• Malware authors target rivals with malicious npm packages
  
• Malicious npm packages caught installing remote access trojans
  
• Malicious npm packages are stealing Discord tokens
  

---

Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0

---

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next