Hackers Unleash 250 Fake npm Packages Imitating AWS & Microsoft Projects!

Malicious actors are exploiting the popularity of open-source projects by publishing over 250 booby-trapped npm packages, which masquerade as legitimate offerings from companies like AWS, Microsoft, React, and CKEditor. 

They contain active reverse shells and remote code execution (RCE) exploits, allowing attackers to gain full control of targeted systems upon installation, by capitalizing on developer trust in established names, potentially causing significant damage before being identified. 

Researchers identified over 260 malicious npm packages mimicking legitimate ones from companies like Microsoft and Amazon, which emerged shortly after the real packages’ updates, with names like “api-extractor-model” versus the genuine “@microsoft/api-extractor-model.” 

Despite claims of being for testing, these packages contained exploits for attacks like reverse shells and dependency confusion, highlighting the dangers of attackers exploiting the popularity of real packages and the importance of careful vetting during installation.   

A hacker is selling reserved npm packages that exploit dependency confusion, like “api-extractor-model” which imitates a legitimate Microsoft package and connects to the attacker’s domain to download malicious code. 

retracted unsafe URLs 

The packages include a note with the seller’s Telegram contact information, implying they target developers who might accidentally install these malicious packages, which raises concerns about the seller’s intentions, as they could be using these exploits for malicious purposes. 

author’s Telegram account

A malicious actor squatted hundreds of package names on npmjs.com that resembled popular projects (e.g., AWS, React), containing reverse shells and remote code execution (RCE) payloads. 

The actor offered these exploits for sale, violating the package’s disclaimer, which claims it’s for Proof-of-Concept (PoC) only, and when installed, the fake package would also download a dependency named “randombullshitgo-js” which delivered the malicious code.    

redacted the targeted party’s IP address as well as the package author’s hostname for privacy

Security researchers at Sonatype identified over 250 malicious npm packages mimicking popular libraries from Microsoft, Amazon, React, and others, which were created by a hacker claiming to be a bug bounty hunter and contained active reverse shells and remote code execution (RCE) exploits. 

Published just days after legitimate releases, the packages were disguised with messages like “bugbounty test,” but analysis revealed their malicious intent. The hacker was reportedly selling these exploits on Telegram, posing a significant threat to developers who might unknowingly install them.  

They also identified malicious packages on the npm registry that were exploiting a grey area in the open source terms of service, which likely represented an attempt by APT actors to deploy next-stage attacks by following a similar incident with a crypto stealer targeting Python developers. 

It highlights the growing trend of attackers targeting open source registries to compromise both niche developers (e.g., AI/LLM) and public sector organizations (.NET shops), which offers a wider target base compared to traditional attack methods.  

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here