Cybersecurity researchers from JFrog have identified hundreds of malicious npm packages targeting Microsoft Azure developers. The large scale attack was designed to steal valuable personal identifiable information (PII) from the developers. The set of packages in the npm registry grew from 50 to more than 200 by March 21. The entire set of malicious packages was disclosed to the npm maintainers and were removed.

Cybersecurity researchers Andrey Polkovnychenko and Shachar Menashe believe that it was a targeted attack against the entire @azure npm scope. The attack was carried out by an automatic script to create accounts and upload malicious packages. A few packages from @azure-rest, @azure-tests, @azure-tools and @cadl-lang were also targeted.

The form of attack used, known as typosquatting, is a type of phishing used to make changes to an email address, file, or website address mimicking the legitimate service or content. Polkovynchenko and Menashe believe in this case the attacker aimed to fool developers into downloading the targeted files by creating a new (malicious) package with the same name as an existing @azure scope package, but dropping the scope name.

It is likely that at least some developers will have fallen victim to the attack as the legitimate set of packages is downloaded tens of millions of times each week. The JFrog researchers believe the attacker was relying on some developers erroneously omitting the @azure prefix when installing a package. For example, running npm install core-tracing by mistake, instead of the correct command – npm install @azure/core-tracing.

It was also noted that the malicious packages also had extremely high version numbers, for example, 99.10.9, which is indicative of a dependency confusion attack. JFrog Cybersecurity researchers believe this may have been to try to target developers and machines running from internal Microsoft/Azure networks as well as targeting npm users using typosquatting. It is believed that the malicious payload was intended for initial reconnaissance on vulnerable targets or as a bug bounty hunting attempt against Azure users and possibly Microsoft developers.

By Emily Nicholls