Malicious ESLint Package Steals Data & Inject Remote Code

Cybercriminals are exploiting typosquatting to trick developers into installing malicious npm packages. One such attack involves a fake `@typescript-eslint/eslint-plugin` package designed to compromise development environments and grant unauthorized access. 

The malicious package `@typescript_eslinter/eslint` can be easily mistaken for the legitimate ESLint plugin for TypeScript, and installing this package could potentially compromise a developer’s system due to its malicious nature. 

Attackers exploited typosquatting to install malicious packages, compromising development environments, which established a WebSocket server, enabling real-time data exfiltration and remote command execution on compromised systems.

The continued availability of the malicious `@typescript_eslinter/prettier` package on npm poses an ongoing security risk, potentially compromising developer systems and eroding trust in the open-source ecosystem.

A software covertly monitors clipboard activity, logs keystrokes on Windows systems, remotely executes commands, and persists itself for continuous operation, which transmits collected data to a remote server across multiple platforms.

The popular TypeScript linting plugin, @typescript-eslint/eslint-plugin, has been targeted by typosquatting due to its extensive use in production environments and CI/CD pipelines, posing a potential security risk to developers who may inadvertently install malicious packages. 

malicious package, @typescript_eslinter/eslint

It was published and rapidly updated to bypass detection by exploiting a common developer typo to infect systems, potentially executing a complex attack chain before its removal on December 1st.

The attackers deployed a secondary malicious package, @typescript_eslinter/prettier, to amplify the primary package’s impact, which is still available on npm and is designed to propagate and intensify the malicious behavior.

The malicious package employs the `clipboard-event` package to actively monitor clipboard changes. Upon detecting any modifications, it logs the altered data, potentially capturing sensitive information.

It utilizes the `node-global-key-listener` package to capture all keyboard presses (excluding mouse events) when a key is held down, which is then appended to a variable, potentially recording sensitive user input like passwords or credentials. 

The script copies a malicious `.bat` file to the Windows Startup folder, ensuring its execution on every system restart, which embeds the malicious code within the system’s startup processes, providing persistent access and potential for further harmful activities.

By establishing a persistent WebSocket connection to a remote server likely for malicious purposes, the encoded server address (Finland, Hetzner) obfuscates true location and potentially hides command-and-control functionality for data exfiltration or dynamic command execution.

It demonstrates the malicious intent to disable legitimate tools like ESLint, potentially hindering code quality and security checks and paving the way for the introduction of harmful processes.

Hackers exploited a vulnerability in the `@typescript-eslint/eslint-plugin` package to infiltrate developer workflows, steal sensitive data, and execute malicious commands via a WebSocket connection. 

The widespread use of the compromised package and the ongoing presence of the secondary malicious package on npm heighten the risk to numerous systems. 

According to Socket, the malicious package known as `@typescript_eslinter/eslint` utilized typosquatting as a means to deliver a sophisticated payload chain. 

While the primary package has been removed, the secondary payload `@typescript_eslinter/prettier` remains active, highlighting the need for typosquatting detection tools like Socket for GitHub and Safe npm CLI to protect open source supply chains.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here