• Home
  • |
  • Blog
  • |
  • How To Protect Your Azure Development Environment From These Malicious npm Packages?
How to Protect your Azure Development Environment from these Malicious npm Packages(1)

JFrog security team has recently identified hundreds of malicious packages which are most likely created to target Azure developers. The report says that precisely there are 217 packages listed in the list of malicious packages aimed to steal PII (Personal Identifiable Information) information such as user names, home directories, IP addresses, and DNS configurations of the victim systems. It is recommended to know how to protect your Azure development environment from these malicious npm packages.

Victims Of Malicious npm Packages:

JFrog team says that after manual inspection of these packages, they found that this was a targeted attack against all npm developers who use packages under @azure@azure-rest@azure-tests@azure-tools, and @cadl-lang scope.

“After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure npm scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope.”

How Attackers Delivered Malicious npm Packages?

Attackers used the typosquatting attack method to perform the attack. Under this method, attackers simply create a new (malicious) package with the same name as an existing @azure scope package without the scope name. Moreover, massive downloads of this set of legitimate packages eased the attacker’s task of dropping malicious packages on victim systems. 

In addition to the typosquatting infection method, extremely high version numbers have been used in the malicious packages, indicative of a dependency confusion attack. “A possible conjecture is that the attacker tried to target developers and machines running from internal Microsoft/Azure networks and the typosquatting-based targeting of regular npm users. As mentioned, we did not pursue research on this attack vector and as such this is just a conjecture.”

Example:

@azure/core-tracing is the legitimate package.

core-tracing is the malicious package.

Moreover, attacker might have used an automatic scripts to create multiple user accounts to use them uploading malicious packages to hide the proof of origin.

List Of Identified Malicious npm Packages:

This list consists of a total of 217 malicious npm packages identified so far. Please visit this page for new updates.

agrifood-farmingarm-managementgroupscadl-providerhub
ai-anomaly-detectorarm-managementpartnercadl-providerhub-controller
ai-document-translatorarm-mapscadl-providerhub-templates-contoso
arm-advisorarm-mariadbcadl-samples
arm-analysisservicesarm-marketplaceorderingcodemodel
arm-apimanagementarm-mediaservicescommunication-chat
arm-appconfigurationarm-migratecommunication-common
arm-appinsightsarm-mixedrealitycommunication-identity
arm-appplatformarm-mobilenetworkcommunication-network-traversal
arm-appservicearm-monitorcommunication-phone-numbers
arm-attestationarm-msicommunication-short-codes
arm-authorizationarm-mysqlcommunication-sms
arm-avsarm-netappconfidential-ledger
arm-azurestackarm-networkcore-amqp
arm-azurestackhciarm-notificationhubscore-asynciterator-polyfill
arm-batcharm-oepcore-auth
arm-billingarm-operationalinsightscore-client-1
arm-botservicearm-operationscore-http
arm-cdnarm-orbitalcore-http-compat
arm-changeanalysisarm-peeringcore-lro
arm-cognitiveservicesarm-policycore-paging
arm-commercearm-portalcore-rest-pipeline
arm-commitmentplansarm-postgresqlcore-tracing
arm-communicationarm-postgresql-flexiblecore-xml
arm-computearm-powerbidedicateddeduplication
arm-confluentarm-powerbiembeddeddigital-twins-core
arm-consumptionarm-privatednsdll-docs
arm-containerinstancearm-purviewdtdl-parser
arm-containerregistryarm-quotaeslint-config-cadl
arm-containerservicearm-recoveryserviceseslint-plugin-azure-sdk
arm-cosmosdbarm-recoveryservices-siterecoveryeventhubs-checkpointstore-blob
arm-customerinsightsarm-recoveryservicesbackupeventhubs-checkpointstore-table
arm-databoxarm-rediscacheextension-base
arm-databoxedgearm-redisenterprisecachehelloworld123ccwq
arm-databricksarm-relayidentity-cache-persistence
arm-datacatalogarm-reservationsidentity-vscode
arm-datadogarm-resourcegraphiot-device-update
arm-datafactoryarm-resourcehealthiot-device-update-1
arm-datalake-analyticsarm-resourcemoveriot-modelsrepository
arm-datamigrationarm-resourceskeyvault-admin
arm-deploymentmanagerarm-resources-subscriptionsmixed-reality-authentication
arm-desktopvirtualizationarm-searchmixed-reality-remote-rendering
arm-deviceprovisioningservicesarm-securitymodelerfour
arm-devspacesarm-serialconsolemonitor-opentelemetry-exporter
arm-devtestlabsarm-servicebusoai2-to-oai3
arm-digitaltwinsarm-servicefabricopenapi3
arm-dnsarm-servicefabricmeshopentelemetry-instrumentation-azure-sdk
arm-dnsresolverarm-servicemappnpmfile.js
arm-domainservicesarm-signalrprettier-plugin-cadl
arm-eventgridarm-sqlpurview-administration
arm-eventhubarm-sqlvirtualmachinepurview-catalog
arm-extendedlocationarm-storagepurview-scanning
arm-featuresarm-storagecachequantum-jobs
arm-frontdoorarm-storageimportexportstorage-blob-changefeed
Arm-hanaonazurearm-storagesyncstorage-file-datalake
arm-hdinsightarm-storsimple1200seriesstorage-queue
arm-healthbotarm-storsimple8000seriessynapse-access-control
arm-healthcareapisarm-streamanalyticssynapse-artifacts
arm-hybridcomputearm-subscriptionssynapse-managed-private-endpoints
arm-hybridkubernetesarm-supportsynapse-monitoring
arm-imagebuilderarm-synapsesynapse-spark
arm-iotcentralarm-templatespecstest-public-packages
arm-iothubarm-timeseriesinsightstest-utils-perf
arm-keyvaultarm-trafficmanagertesting-recorder-new
arm-kubernetesconfigurationarm-videoanalyzertestmodeler
arm-labservicesarm-visualstudiovideo-analyzer-edge
arm-linksarm-vmwarecloudsimplevideojs-wistia
arm-loadtestservicearm-webpubsubweb-pubsub
arm-locksarm-webservicesweb-pubsub-express
arm-logicarm-workspaces
arm-machinelearningcomputecadl-autorest
arm-machinelearningexperimentationcadl-azure-core
arm-machinelearningservicescadl-azure-resource-manager
arm-managedapplicationscadl-playground

How To Protect Your Azure Development Environment From These Malicious npm Packages?

Ensure all the packages installed are legitimate. Check the list of packages that starts with @azure@azure-rest@azure-tests@azure-tools, and @cadl-lang scope. Packages you have installed for Azure development must contain these prefixes.

You can do this by running this command upon changing your current directory to the npm project you would like to test. npm list or npm ls is the command to list the installed packages. Pass this output of the npm list command to grep command to filter the output by the list of packages listed in packages.txt file. You should create a file named packages.txt with all the package names listed in it before you run this command.

npm list | grep -f packages.txt

It is always good to deploy intelligent supply chain security solutions like JFrog XRAY to prevent such attacks in feature.

We hope this post will help you know How to Protect your Azure Development Environment from these Malicious npm Packages. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.