{"id":45869,"date":"2022-03-24T13:57:03","date_gmt":"2022-03-24T13:57:03","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/33251\/Malicious-npm-Packages-Target-Azure-Devs-To-Steal-Personal-Data.html"},"modified":"2022-03-24T13:57:03","modified_gmt":"2022-03-24T13:57:03","slug":"malicious-npm-packages-target-azure-devs-to-steal-personal-data","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/malicious-npm-packages-target-azure-devs-to-steal-personal-data\/","title":{"rendered":"Malicious npm Packages Target Azure Devs To Steal Personal Data"},"content":{"rendered":"

A “large scale” attack is targeting Microsoft Azure developers through malicious npm packages.  <\/p>\n

On Wednesday, cybersecurity researchers from JFrog said that hundreds of malicious packages<\/a> have been identified, created to steal valuable personally identifiable information (PII) from developers.  <\/p>\n

\n

ZDNet Recommends<\/span> <\/h3>\n<\/p><\/div>\n

According to researchers Andrey Polkovnychenko and Shachar Menashe, the repositories were first detected on March 21 and steadily grew from roughly 50 malicious npm packages to over 200 in a matter of days. <\/p>\n

The miscreants responsible for the npm repositories have developed an automated script that targets the @azure npm scope, alongside @azure-rest, @azure-tests, @azure-tools, and @cadl-lang.  <\/p>\n

The script is responsible for creating accounts and uploading the npm sets, which include container services, a health bot, testers, and storage packages.  <\/p>\n

JFrog says that typosquatting has been used to try and dupe developers into downloading the files. At the time of writing, these packages contained information stealer malware.  <\/p>\n

Typosquatting is a form of phishing in which small changes are made to an email address, file, or website address to mimic a legitimate service or content. For example, an attacker could target users of “your-co<\/strong>mpany.com” by registering a domain name with “your-c0<\/strong>mpany.com” — and by replacing a single letter, they hope that victims do not notice that the resource is fraudulent.  <\/p>\n

In this case, malicious packages are created with the same name as an existing @azure scope package, but they have dropped the scope.  <\/p>\n

\"screenshot-2022-03-24-at-08-42-04.png\"<\/span>