Ax Sharma
October 24, 2022
Last week, when reviewing multiple packages flagged by Socket’s sleek GitHub App, a finding that stood out was an npm package called, ‘state-counter’ which, at the time of writing, has received almost 1000 downloads.
We’ve previously seen various statistical tools written in NodeJS including simple “visit” counters but a “state-counter,” you say?
In addition to containing obfuscated code, the package hits several red flags that warranted us to take a closer look:
Nearly all versions of ‘state-counter’ contain tightly packed obfuscated code in the “counter.js” file. Interestingly, comments left by the package author in the JavaScript file mislead you to believe the package is indeed a “stat” counter—or related to the legitimate StatCounter.com operation:
A classic technique exhibited by malicious open source packages leveraging brandjacking and typosquatting techniques.
Moreover, the copyright banner attributing the code to Twitter is even flimsier as neither the code contained in the package nor the company StatCounter have anything to do with Twitter.
The obfuscation contained in later versions of “state-counter” is quite complex with most plaintext strings scrambled haphazardly. Analyzing earlier versions, now unpublished from npm by the author but preserved by Socket, helped us better understand the true nature of the package during static analysis.
A quick glance at the (plaintext) string array alone showed fragments of several URLs, including one starting with https://t.co/ - Twitter’s URL shortener:
This fragmented URL, hxxps://t(.)co/MNf6frRTSs redirects to an adult love doll and toy store:
Other references in the code point to specific sections of the online store, as well as ascertaining the user’s timezone, language as well as search engine settings. On meeting the specified criteria, the adware launches the NSFW URL on a user’s system.
Based on the criteria specified, “state-counter” appears to target China-based developers and users.
Granted, this typosquat isn’t nearly as sinister as malicious npm packages previously caught launching cryptominers, password stealers, and even ransomware scripts. But, it still counts as a counterfeit component posing risk to the overall security, integrity, and hygiene of the open source software ecosystem.
Ongoing threats to the software supply chain include package hijacks and dependency confusion PoCs, such as 'surveyoptic’ and ‘wormhole-chain-sdk’—the latter targeting an actual internal dependency of Wormhole Foundation’s SDK. These are just a few examples of unwanted components identified by Socket this week.
We reported “state-counter” to npm prior to publishing and it was taken down shortly by GitHub’s security team.
Developers can install Socket’s free GitHub app which can detect malicious uses of obfuscated code among other supply chain risks in your npm packages.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.
Security News
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
