Researchers warn of malicious typosquatting packages making their way into open source repositories

Malicious typosquatting packages prey on naive users or developers who make a slight typographical error

Researchers at software supply chain management firm Sonatype have warned that attackers are increasingly using malicious 'typosquatting' packages infiltrating open source repositories to steal confidential data from victims.

In a blog post detailing their findings, Sonatype researcher Ax Sharma said they had discovered 130 typosquatting packages on the JavaScript package manager npm and a dozen malicious packages on Python Package Index (PyPI).

Typosquatting, also known as URL hijacking, is a sort of cybersquatting that targets users who type a website address incorrectly into their browser.

Malicious typosquatting packages prey on a naive user or a developer making a slight typographical error, eventually leading to them downloading the malicious package instead of the one they had intended to install.

In one such finding, Sonatype researchers identified a malicious typosquat called "collored", in imitation of the official "colored" package.

While the official package is a simple library for colour and terminal formatting, the collored package launches a malicious executable on the infected device.

However, the researchers found that the collored package does not include the EXE file but instead sends an HTTP request to a hardcoded rentry[.]co link.

The collored package is now being tracked as sonatype-2022-1141 by the researchers.

Not all malicious libraries use the typosquatting technique. Another package found by Sonatype last week, named "huehuehuehue" (sonatype-2022-1142) comes with a base64 string and launches a bind shell on the user's system, to which the attacker will be able to connect.

The researchers also uncovered the "aiohttp-socks4" PyPI package, which looks to be an effort to revive the trojanised package "aiohttp-socks5".

Additionally, they discovered eight PyPI packages that targeted Azure developers and environments via dependency confusion.

Last month, DevOps security firm JFrog said that they had discovered and assisted in the removal of another batch of 25 malicious JavaScript libraries that had made their way to the official npm package registry with the intent of stealing Discord tokens and environment variables from compromised systems.

All 25 libraries were named after more popular libraries, with the makers obviously intending that developers would include them in their projects by mistyping names or not properly studying a package's origin.

Seventeen of them were intended to steal Discord access tokens from machines where malicious code was run.

Three packages also enabled attackers to execute their own commands on the user's machine using Python code or shell commands.