- A single typo hackers can kidnap your system using malware hidden in fake packages
- Cross-platform malware still believed that developers experienced by copying reliable open source package names
- The attackers are exploiting the developer trust with the stolen payload that is dodging the malware protection tool
The attack of a new supply chain has shown that something as something can open the door for severe cyber security hazards as typo, warning by experts.
A report from Checkmarx Claims are using clever tricks to cheat developers in downloading malicious actor fake packages, which can then give hackers to control their system.
The attackers mainly target users of colorama, a popular python package, and colorzr, a similar device used in JavaScript (NPM).
Classes of misleading package and typos
Ariel Harush, a researcher at Checkmarx, said, “This campaign targets pythan and NPM users through typoscating and name-coordination attacks on Windows and Linux.”
The attackers use a technique called typosquatting. For example, instead of “colorama”, a developer can accidentally type “columrama” or “coloramaa” and download a harmful version.
These fake packages were uploaded to the PyPI repository, which is the main source of Python libraries.
Security Research Advocate Darren Mayor at Checkmarx said, “We have found the malicious python (PYPI) package as part of a typoswatting campaign. The malicious package allows for remote control, firmness, etc.”
This campaign makes the campaign unusual that the attackers mixed names from various ecosystems, using names from NPM World (JavaScript) to trick Python users.
This cross-platform targeting is rare and suggests a more advanced and potentially coordinated strategy.
Windows and Linux payloads have uniform upload timing and naming, but use various tools, strategies and infrastructure, which means they cannot be from the same source.
Once installed, fake packages can cause severe damage – on the Windows system, the malware creates a determination and scheduled task to maintain the environmental variables of the crop, which may include sensitive credentials.
It also attempts to disable the best antivirus software using the set -MPPREFERENCE -DISABLEOVPROTECTION $ True such as $ True.
On the Linux system, package encrypted packages such as colorzator and collaiz are carried to make an encoded payload, communicate through platforms such as telegram and discords, and exfiltrate data for services such as pastbin.
These scripts are not executed at once; They are designed for silent and perseverance, using techniques such as muscarding in the form of kernel processes and edit RCLOL and Crontab for automatic execution.
Although the malicious package has been removed from the public repository, the danger is over.
Developers should be very careful when installing the package as even the best endpoint protection platforms struggle with these developed strategies. Always check the spelling again and make sure the package comes from a reliable source.
Checkmarx recommends that organizations audit all deployed and deployed packages, constantly check the application code, check private repository, and block known malicious names.
