Attack on Azure developers | Pentest7

top cybersecurity companies

Malicious npm packages target Azure developers to steal personal data. Typosquatting and automatic tools are the weapons of choice.

A large-scale attack aims at Microsoft Azure developers with malicious npm packages. On Wednesday, JFrog cybersecurity researchers said they had identified hundreds of malicious packages created to steal valuable personal information (PII) from developers.

According to researchers Andrey Polkovnychenko and Shachar Menashe, the repositories were first discovered on March 21 and grew from around 50 malicious npm packages to over 200 in a matter of days.

The perpetrators responsible for the npm repositories have developed an automated script that attacks the npm area @azure in addition to @azure-rest, @azure-tests, @azure-tools and @cadl-lang.

The script is responsible for creating accounts and uploading the npm sets that contain container services, a health bot, testers, and storage packages.

JFrog says typosquatting was used to trick developers into downloading the files. At the time of writing, these packages contained information stealer malware.

Typosquatting is a form of phishing that involves making small changes to an email address, file, or website address to impersonate a legitimate service or content. For example, an attacker could target users of “” by registering a domain name with “” — and by substituting a single letter, he hopes victims won’t notice the resource is fraudulent .

In this case, malicious packages are created with the same name as an existing @azure scope package, but they omit the scope.

“The attacker takes advantage of the fact that some developers mistakenly omit the @azure prefix when installing a package,” the researchers said. “For example, by accidentally running npm install core-tracing instead of the correct command – npm install @azure/core-tracing.”

Also, all npm packages have been over-versioned, which could indicate a dependency confusion attack. “Since this set of legitimate packages is downloaded millions of times each week, there is a high possibility that some developers will fall for the typosquatting attack,” JFrog continued.

JFrog has provided a full list of malicious npm packages detected so far. The npm maintainers removed the malicious files, but Azure developers should beware of further activities by this threat actor.

Leave a Reply

Your email address will not be published.