A New, Stealthier Type of Typosquatting Attack Spotted, Targeting NPM
May 2023 by Checkmarx
In the constantly evolving world of cybersecurity, attackers are always looking for new ways to exploit weaknesses and compromise systems. Currently, attackers are using lowercase letters in package names on the Node Package Manager (NPM) registry for potential malicious package impersonation. This deceptive tactic presents a dangerous twist on a well-known attack method known as "Typosquatting." In this blog post, we will explore the origins of this issue, the risks it poses, and the steps that can be taken to address it while also examining its relationship to Typosquatting.
A Brief History of Package Naming in NPM
In the early days of NPM, package creators were allowed to use both upper and lowercase letters in their package names. However, in 2017, NPM changed its policy, and new packages could only be created with lowercase letters in their names. Despite this change, existing packages with mixed-case names were allowed to remain on the registry and are in use to this day. In fact, there are thousands of these mixed-case packages still available, collectively accounting for tens of millions of downloads.
The Impersonation Threat
The problem is that bad actors can exploit this situation by uploading packages with names that closely resemble legitimate packages, using lowercase letters to mimic uppercase letters in the original package names. This deceptive tactic is intended to trick users into downloading and installing the malicious package instead of the intended legitimate one.
Removed for security reasons
The only difference between the two package names is the capitalization of the "S" and "D" in "memoryStorageDriver." Users might unintentionally install the wrong package due to the close resemblance in their names.
A stealthier approach to Typosquatting:
This malicious package impersonation takes the traditional "Typosquatting" attack method to a new level of deception where attackers register package names that consist of the exact same letters as the legitimate ones, with the only difference being the capitalization. This makes it even harder for users to detect the deception, as they can easily overlook the subtle differences in capitalization.
The Scope of the Problem:
At the time of publication 3,815 packages were found on NPM containing uppercase letters. Out of these, 1,900 packages are at risk of impersonation, meaning that someone can upload a package with the same name but with all lowercase letters. Some of the at-risk packages are quite popular, such as "objectFitPolyfill," which has hundreds of thousands of weekly downloads. In total, the download count of the packages at risk is in the tens of millions.
Popular vulnerable package on NPM (capital letters used in the package name)
Package name “objectFitPolyfill” in all lowercase letters available for anyone to use in a new package
How Do Other Package Managers Compare with NPM?
To better understand the malicious package impersonation issue in NPM, let’s compare how other popular package managers, such as PyPI and NuGet, handle this issue.
Both PyPI and NuGet adopt more robust strategies for dealing with package names containing uppercase and lowercase letters.
For example, imagine a package named "ExamplePackage" published on PyPI or NuGet. Unlike NPM, both of these package managers allow package creators to upload packages with names containing both upper and lowercase letters. Once "ExamplePackage" is published, PyPI and NuGet restrict anyone else from uploading a package with the same name, regardless of the capitalization of letters. This means that a package named "examplepackage" or "Examplepackage" cannot be uploaded by someone else, preventing bad actors from exploiting package name variations for malicious purposes.
In addition, PyPI and NuGet have implemented an automatic typo-correction mechanism to assist users who accidentally type package names with incorrect capitalization. For instance, if a user tries to install "ExamplePackage" but types "examplepackage" instead, the package manager will automatically correct the typo and direct the user to the legitimate "ExamplePackage."
By employing these measures, PyPI and NuGet significantly reduce the chances of users falling victim to deceptive tactics, such as the package impersonation vulnerability in NPM. This approach provides a more secure environment for package distribution and installation.
Addressing the Issue
At Checkmarx, we’ve taken measures to mitigate the risk of users falling victim to this type of attack. These include:
Securing the namespace: We have uploaded placeholder packages for the vulnerable NPM packages in order to secure their namespace, preventing bad actors from exploiting the capitalization vulnerability.
Monitoring all packages: We are constantly monitoring packages in the open-source ecosystem for malicious activity, and have added packages that are susceptible to this type of attack to our watch list.
Package health checks: Users can check package health prior to installation through various solutions available. For example, Overlay Browser Extension can alert you if a package has known security issues or vulnerabilities, based on the latest advisories from trusted sources. By using tools like this, you can ensure that the package you’re installing is secure and reliable.
Raising awareness: We’re dedicated to spreading awareness about attacks such as this and their potential impacts. By sharing our findings with the community, we aim to educate users and developers about the risks involved and the precautions they can take.
Conclusion
It’s important to emphasize how easy it is to fall for this type of attack, as the only difference between legitimate and malicious packages is as subtle as a change in capitalization. This vulnerability highlights the importance of staying vigilant and being aware of evolving tactics employed by bad actors. By understanding the risks, users can take appropriate precautions.