Last week over 200 malicious packages were discovered in the npm registry targeting Azure developers with PII stealing malware.
The attack method is simple: the attacker creates a malicious package with the same name as an existing package within the @azure scope but omits the @azure scope name. This means if a developer attempts to install a package but mistakenly omits the @azure scope name, instead of getting an error they will install the malicious package of the same name.
The legitimate packages within the @azure scope are downloaded from npm millions of times each week, so it is likely that many developers accidentally downloaded the malicious alternatives by mistake – even though they were only available for about two days before they were discovered and removed from the npm registry.
This incident is a good example of a software supply chain attack and a reminder to Development Managers and Security Managers of the need to safeguard and protect the sources of third party libraries and packages that are incorporated into their inhouse developed applications and systems.