`crossenv` malware on the npm registry
This summary is created by Generative AI and may differ from the actual content.
Overview
User hacktask published packages with names very similar to popular npm packages (typo-squatting) to collect data from tricked users. The most dangerous package was crossenv. Adam Baldwin of Lift Security assisted in the investigation. npm is supporting Lift Security and the Node Security Project in their static analysis of public registry packages. npm is discussing approaches to prevent publication of packages with names very close to existing packages and using the Smyte service to detect spam and other TOS violations. Users who installed the packages should revoke and replace their credentials.
Impact
At most 50 real installations of crossenv, probably fewer. If users downloaded and installed any of the listed packages, they should immediately revoke and replace any credentials they might have had in their shell environment.
Trigger
A user notified npm via Twitter about the malicious package.
Detection
A user notified npm via Twitter that a package with a name very similar to the popular cross-env package was sending environment variables from its installation context out to npm.hacktask.net. Adam Baldwin of Lift Security also looked into this incident to see if there were any other packages with the same package setup code.
Resolution
All of hacktask's packages have been removed from the npm registry. hacktask's email address is banned from using npm.
Root Cause
Deliberate and malicious typo-squatting by user hacktask with the intent to collect useful data from tricked users.