Malicious ESLint Package Let Attackers Steal Data And Inject Remote Code

Cybercriminals exploited typosquatting to deploy a malicious npm package, `@typescript_eslinter/eslint`, targeting developers seeking the legitimate TypeScript ESLint plugin, which was designed to mimic the genuine plugin, compromised systems by monitoring keystrokes, clipboard data, and executing remote commands. 

They leveraged a WebSocket server for real-time control and data exfiltration as the persistence of a secondary malicious package, `@typescript_eslinter/prettier`, highlights the ongoing threat posed by such attacks, emphasizing the need for heightened security awareness and package validation practices within the open-source ecosystem. 

It was published on npm and quickly released 43 versions, aiming to deceive developers into installing it, where this malicious package, once installed, executed a complex attack chain, highlighting the potential risks of typosquatting in the npm ecosystem.

It also secretly tracks clipboard activity using the clipboard-event library, and once it detects a change in the clipboard, it logs the new content, which allows potential attackers to gain unauthorized access to sensitive information copied to the clipboard. 

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The code snippet utilizes the `node-global-key-listener` package to establish a global keyboard listener that captures all keystrokes (excluding mouse events) when a key is pressed down (`e.state === “DOWN”`). 

If a key is pressed, it appends the key name to a variable named `pendingData.fuzzer`, potentially accumulating sensitive information like passwords or API keys typed by the user, suggesting the code’s malicious intent as it gathers potentially sensitive user input without their awareness.  

The script copies a malicious `.bat` file to the Windows Startup folder, which ensures the malicious code executes persistently upon system restart. By embedding itself in the startup process, the script gains a foothold on the system, potentially enabling further malicious activities. 

By establishing a persistent WebSocket connection, it makes an attempt to communicate in real time with a remote server, most likely for malicious purposes. 

It first decodes a Base64 string to reveal the server’s IP address (ws://135.181.226.254:5051), potentially hiding the target’s location, which aims to bypass static analysis and make detection harder. 

Once connected, the script could exfiltrate sensitive data or execute commands on the compromised system, furthering the attacker’s control. 

The malicious package leverages a function to delete ESLint, a legitimate linting tool, preventing developers from using trusted processes, which allows the package to replace these processes with its own malicious ones. 

According to Socket, the attackers were able to gain access to a wide variety of systems and developers by exploiting a vulnerability in the @typescript-eslint/eslint-plugin package vulnerability. 

The secondary malicious package, @typescript_eslinter/prettier, remains a threat, and the IP address 135.181.226.254, associated with Hetzner Online GmbH, is linked to the attack’s infrastructure. 

A highly sophisticated attack that involved the malicious package `@typescript_eslinter/eslint` was recently launched against the open-source ecosystem. 

While the primary package has been removed from npm, its secondary payload, `@typescript_eslinter/prettier`, persists, posing an ongoing threat. 

Tools like Socket for GitHub and Safe npm CLI can effectively identify and mitigate such threats by blocking supply chain attacks and flagging various code quality and security issues. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free