Ax Sharma
October 24, 2022
Last week, when reviewing multiple packages flagged by Socket’s sleek GitHub App, a finding that stood out was an npm package called, ‘state-counter’ which, at the time of writing, has received almost 1000 downloads.
We’ve previously seen various statistical tools written in NodeJS including simple “visit” counters but a “state-counter,” you say?
In addition to containing obfuscated code, the package hits several red flags that warranted us to take a closer look:
Nearly all versions of ‘state-counter’ contain tightly packed obfuscated code in the “counter.js” file. Interestingly, comments left by the package author in the JavaScript file mislead you to believe the package is indeed a “stat” counter—or related to the legitimate StatCounter.com operation:
A classic technique exhibited by malicious open source packages leveraging brandjacking and typosquatting techniques.
Moreover, the copyright banner attributing the code to Twitter is even flimsier as neither the code contained in the package nor the company StatCounter have anything to do with Twitter.
The obfuscation contained in later versions of “state-counter” is quite complex with most plaintext strings scrambled haphazardly. Analyzing earlier versions, now unpublished from npm by the author but preserved by Socket, helped us better understand the true nature of the package during static analysis.
A quick glance at the (plaintext) string array alone showed fragments of several URLs, including one starting with https://t.co/ - Twitter’s URL shortener:
This fragmented URL, hxxps://t(.)co/MNf6frRTSs redirects to an adult love doll and toy store:
Other references in the code point to specific sections of the online store, as well as ascertaining the user’s timezone, language as well as search engine settings. On meeting the specified criteria, the adware launches the NSFW URL on a user’s system.
Based on the criteria specified, “state-counter” appears to target China-based developers and users.
Granted, this typosquat isn’t nearly as sinister as malicious npm packages previously caught launching cryptominers, password stealers, and even ransomware scripts. But, it still counts as a counterfeit component posing risk to the overall security, integrity, and hygiene of the open source software ecosystem.
Ongoing threats to the software supply chain include package hijacks and dependency confusion PoCs, such as 'surveyoptic’ and ‘wormhole-chain-sdk’—the latter targeting an actual internal dependency of Wormhole Foundation’s SDK. These are just a few examples of unwanted components identified by Socket this week.
We reported “state-counter” to npm prior to publishing and it was taken down shortly by GitHub’s security team.
Developers can install Socket’s free GitHub app which can detect malicious uses of obfuscated code among other supply chain risks in your npm packages.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Security News
Ransomware payment demands are rising in 2023, driving a higher demand for cyber insurance and an increase in premiums.
Product
Changelog
We just released v0.9.0 of the Socket CLI with some improvements to the socket info command so you can get useful information about an npm package, right in the terminal.
Security News
The financial services sector has been hit by a recent surge of ransomware attacks, disrupting operations at major institutions such as Fidelity National Financial and the Industrial and Commercial Bank of China. These attacks underscore the importance of swift security measures in addressing vulnerabilities on enterprise systems.
