Resources Blog New npm PoC packages target PayPal Zettle, Airbnb developers

New npm PoC packages target PayPal Zettle, Airbnb developers

Sonatype has identified several npm packages that are named after internal dependencies purportedly used by PayPal Zettle and Airbnb developers.

These packages identified by our automated malware detection systems exploit the well-known dependency confusion technique in an attempt to gain access to these organizations’ internal systems. However, our analysis concludes these are proof-of-concept (PoC) packages published by pen testers hoping to collect a bug bounty.

Counterfeit npm packages target Zettle by PayPal

Tracked as sonatype-2023-3911, the packages published under the Zettle npm scope include the following. Each package has just one version, “35.0.0” published to npm.

@zettle-bo/account-settings

@zettle-bo/account-statement

@zettle-bo/apps

@zettle-bo/bank-settings

@zettle-bo/bootstrapper

@zettle-bo/capital

@zettle-bo/cash-register

@zettle-bo/customers

@zettle-bo/dashboard

@zettle-bo/direct-debit

@zettle-bo/integrations

@zettle-bo/inventory

@zettle-bo/invoices

@zettle-bo/pp-profile-widget

@zettle-bo/products

@zettle-bo/react

@zettle-bo/react-router-dom

@zettle-bo/react-spa

@zettle-bo/receipts

@zettle-bo/routes

@zettle-bo/sales-trends

@zettle-bo/settings

@zettle-bo/shell

@zettle-bo/staff-account

@zettle-bo/vertical-navigation

Upon installation, these packages attempt to download and install other npm packages e.g. “lolzettle-bololbank-settings” from the author’s web server. At the time of writing, the URL returns a blank object ({}) as opposed to functional code.

Screenshot of code editor that shows how a package attempts to download and install other npm packages from the author’s web server, and the URL returns a blank object as opposed to functional code

Sonatype confirmed with the author of these packages, who is a known security researcher in the industry, that these are a part of an ethical research experiment, and that no malicious payload or activity is involved. The researcher, however, did not answer if they earned a bug bounty yet.

Airbnb

Tracked as sonatype-2023-3913, we also analyzed the following packages that appear to target Airbnb developers:

airbn-geetest3

airbnb-env

airbnb-erf

airbnb-i18n-polyglot

airbnb-l10n

airbnb-mediator

airbnb-moment-more-format

These packages collect the system’s username, home directory path, hostname, IP address, and basic information and transmit these to the author’s servers.

Screenshot of code editor that shows how these packages collect the system’s username, home directory path, hostname, IP address, and basic information and transmit these to the author’s servers

Once again, given the metadata included in these packages and no outright malicious code, it appears to be PoC research.

Although these packages may be nothing more than bug bounty exercises, real world threat actors have frequently targeted and continue to target open source ecosystems like npm and PyPI with novel malware – such as cryptojackers, infostealers, and hijacked libraries, to compromise developers and ultimately poison the software supply chain.

While these packages appear to be bug-bounty exercises, Sonatype’s products such as Repository Firewall and Lifecycle stay on top of actual attacks and vulnerabilities and provide you with detailed insights to thwart Potentially Unwanted Applications (PUAs), malware, and vulnerable components from reaching your builds:

Screenshot from Sonatype database showing how this issue is tracked as sonatype-2023-3911 with an explanation of these npm packages as potentially unwanted applications (PUAs))

Users of Sonatype Repository Firewall can rest easy knowing that whether or not these types of packages are just a PoC or actually malicious, they would automatically be blocked from reaching their development builds. Either way, you don’t want them in your software development life cycle.

Picture of Ax Sharma

Written by Ax Sharma

Ax is a Staff Security Researcher & Malware Analyst at Sonatype with a penchant for open source software. His works and expert analyses have frequently been featured by leading media outlets including the BBC. Ax's expertise lies in security vulnerability research, reverse engineering, and cybercrime investigations. He has a passion for educating a wide range of audiences through writing and vlogs.

Tags