All developers are prone to mistakes that leave them open to typosquatting attacks. Tiredness, dirty keyboard, or software issues may lead to typing some letters twice. Everyone would like to see a red screen and alarm coming out of the computer in such a case, but sadly, it doesn’t always work that way with most supply chain attacks. As attackers and their methods become more sophisticated every day, they are using ever-more devious ways to hide the fact that you installed a malicious package.
WhiteSource’s Diffend supply chain security platform blocked the personal-colorss package 39 minutes after it was published into npm on May 9th, 2022. On the day of this blog’s publication, the package is still available in npm and is simple to mistake with the original colors package, not only due to its name. The package is malicious and is stealing discord tokens. While this is not something we haven’t seen before, this package is using a new approach for a better disguise and execution of its malicious behavior.
What is unique about this attack method?
The personal-colorss package seems to be acting as the chart-topping original colors package which has 20 million weekly downloads. Due to the immutability of the interface in the malicious package, the users will be able to use the capabilities of ‘colors’ when using ‘personal-colorss’. Unfortunately, underneath the interface, a malicious python file is being executed to steal Discord tokens.
The main file of both the original colors package and the malicious version is lib/colors.js. The malicious package has two versions, 0.0.1 and 0.0.2. It contains the non-obfuscated version of the malicious code in version 0.0.1 and the obfuscated version of the exact same code in version 0.0.2. As you will later see in the non-obfuscated version, the package collects user information that is needed for the execution of another malicious Python script.
Let’s focus on the visual similarities first.
On the left, is the malicious version and on the right is the original version:
Figure 1 – colors.js file from both legit and malicious versions of ‘colors’.
Both code snippets are indistinguishable, as are the rest of the files in the package, which gives the malicious version of ‘colors’ the option to act as if it is the original one, with all its capabilities.
In addition, the actor took advantage of the fact that the beginning of the original file contains comments by the author to inject the malicious part while keeping the file similar in length and content:
Figure 2 – the only visual difference between the legit and the malicious package
On the left, we see the malicious package ‘personal colorss’, while on the right we see the original ‘colors’. The codes only differ in the marked area.
The packages also look identical in the npm registry, and it’s hard to distinguish between them:
Figure 3 – npm registry page of both packages
So far we observed that:
The actor is injecting the malicious code at the beginning of the ‘colors.js’ file, replacing the comments made by the original author.
After the first 28 lines that are inserted by the malicious actor, the rest of the code is identical to the original colors package.
The actor is trying to keep the length of the file similar to the original version to maintain the visual and functional similarities to the original package.
Most importantly and severely, the actor is executing a main.py file (line 23) that is still unknown to us.
Let’s take a look at the first 31 lines of the file lib/colors.js file in the malicious package ‘personal-colorss’.
Line 9 assigns a link to the constant named ‘url’, that later on is used to download a main.py file.
The imported ‘file-download’ package in line 3, gives later the option to download the file from a previously defined source. The download happens in line 18.
Line 16 is the declaration of the method baixararquivo. This method uses the package ‘file-download’ that was required earlier in line 4.
”baixar arquivo” is being translated from Portuguese to “download file”.
The first call to baixararquivo happens in line 21.
The method baixararquivo in line 19 calls the function pip() that executes the newly downloaded python file.
‘pip’ is the package installer for Python, so the function name might lull us into a false sense of security.
The attacker uses execSync in line 26 to make sure Node is waiting for its process to finish. NodeJS supports doing this synchronously. That way, the attacker allows the script to wait for the end of execution.
Once the connection is established, we observe an attempt to pull out every information (discord token) stored in the browser cache through a TCP connection (IP: 18.104.22.168 port 80).
Although the technique used in the Python script is not new, the package stands out because of the way it is disguised and because of how well it mimics the original popular package.
Discord tokens are in high demand by attackers, as it contains important information such as username, password, email, and date of birth, which users provide when signing up to Discord.
The token is a way to verify who you are without exposing the password. Whoever has your discord token could also get access to your account even if you have two-factor authentication (2FA) on, as the token already has all the information inside. For some reason, Discord user tokens are plaintext, easy to steal, and let hackers bypass 2FA.
The attackers are evolving with each attack, and the open-source registries do not always take those packages down fast, if at all. It is likely that we will see more similar attacks in the future.
WhiteSource’s automated malware detection platform, Diffend, checks to make sure you’re only using verified package sources and prevents you from importing any malicious package into your organization or personal machine. WhiteSource Diffend is free to use. Sign up here >>
Tamir Ben Ari is a malware researcher at WhiteSource, investigating malicious behaviors such as typosquatting attacks, malicious takeovers, ATO attacks, Makefile pollution, Bitcoin mining, environment and credential-stealing, and dependency confusion. Previously, he held the role of security researcher at WhiteSource, which included detailed vulnerability research in open source libraries.
Maria Korlotian is an experienced software developer at WhiteSource. She holds a degree in Mechatronics Engineering. In her free time, she enjoys learning new languages and solving algorithmic challenges.