Who is being targeted?

The attacker seemed to target all npm developers that use any of the packages under the @azure scope, with a typosquatting attack. In addition to the @azure scope, a few packages from the following scopes were also targeted - @azure-rest, @azure-tests, @azure-tools and @cadl-lang. Since this set of legitimate packages is downloaded tens of millions of times each week, there is a high chance that some developers will be successfully fooled by the typosquatting attack.

What software supply chain attack method is used?

The attack method is typosquatting - the attacker simply creates a new (malicious) package with the same name as an existing @azure scope package, but drops the scope name.

I am using JFrog Xray, am I protected?

JFrog Xray users are protected from this attack. The JFrog security research team adds all verified findings, such as discovered malicious packages and zero-day vulnerabilities in open-source packages, to our Xray database before any public disclosure. Any usage of these malicious packages is flagged in Xray as a vulnerability. As always, any malicious dependency flagged in Xray should be promptly removed.

I am an Azure developer using a targeted package, what should I do?

Make sure your installed packages are the legitimate ones, by checking that their name starts with the @azure* scope.

Malicious Packages in npm Targeting Azure Developers

Large-scale npm attack targets Azure developers with malicious packages

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to avert potential software supply chain security threats, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Two days ago, several of our automated analyzers started alerting on a set of packages … Continue reading Large-scale npm attack targets Azure developers with malicious packages