Npm Packages Vulnerable to Old-School Weapon: the Shift Key

For years, hackers could have tricked enterprises into downloading malware by simply de-capitalizing letters in uppercase-named npm packages.

Since 2017, hackers have been able to mimic legitimate packages on Node Package Manager (npm) by simply removing the capital letters in their titles.
According to newly published research from Checkmarx, npm had for years failed to account for this
form of typosquatting
, which could have led to enterprises inadvertently downloading malware. The registry patched the vulnerability over the weekend, but organizations should be aware of any malicious packages they may have downloaded before the change was made.
Its always good to check the names of the packages that youre installing, to make sure that youre actually installing what you want to install, says Yehuda Gelb, security researcher at Checkmarx, the author of the report. And its always important to have security systems in place, just to be sure.
Typosquatting occurs when cyber miscreants use deliberate but usually subtle misspellings to copy legitimate Web domains. For example, a hacker might use a capital I instead of a lowercase l in the word Google, or zeros in place of the two os.
On Dec. 26, 2017, to address typosquatting in its registry, npm announced
a change to its naming system
. From that date on, packages could only be named using lowercase letters. All the thousands of existing packages with capital letters in their titles remained, though, and no mechanism was implemented to prevent new packages from copying them in all but capitalization.
Consider, for instance, a package created prior to the policy change titled localforage-memoryStorageDriver. For years, any hacker could have uploaded their own package titled localforage-memorystoragedriver — the exact same spelling, and all else being equal, with the only difference being no capitalized letters. An unwitting user would be forgiven for accidentally downloading the copycat.
In the course of their work, the researchers found 3,815 npm packages with capital letters in their titles.
Of those, 1,900 were at risk of lowercase typosquatting. Not all of the packages were vulnerable, Aviad Gershon, a security researcher at Checkmarx, clarifies, because in some cases, the lowercase package names were already taken or it was not possible to register them.
Still, some extremely popular packages were exposed. The researchers pointed to
objectFitPolyfill
, which gets downloaded nearly 200,000 times weekly. In total, Gelb wrote in the report, the download count of the packages at risk is in the tens of millions.
Now that NPM has patched the flaw, malicious actors cant typosquat. Now if you upload a new package with all lowercase letters, its going to say the package name is too similar to an existing package, and then NPM wont allow you to upload that package, Gelb notes.
Rogue npm packages can compromise computers inside an enterprise network, Gershon explains. The risks in bad packages range from information theft to ransomware, cryptomining, and denial of service, he notes.
Even an enterprise thats careful about what it downloads still faces
a supply chain problem
. Packages can also be embedded in the software a supplier is distributing to their customer, and thorough that infect many other victims down the chain.
And so, awareness of typosquatting is necessary but not sufficient.
Luckily, there are enough security solutions out there from so many different vendors — even open source ones, Gelb says.
Gershon points to Overlay — a browser extension that allows developers to evaluate packages on quality, security, and other metrics before downloading them — as an example of one of those tools that could help. So its something that should be easily accessible for any company.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Npm Packages Vulnerable to Old-School Weapon: the Shift Key