0

I'm trying to understand some of the actions in the npm typosquatting attack of August 2017

In particular i'm wondering why they created future versions of the package 5.0.2 -> 6.1.1 when they didn't exist in the actual cross-env package which was then version 5.0.1.

Was the intention to trick people into think there was a new release of cross-env? Or something else?

This data is on the npm registry at http://registry.npmjs.com/crossenv and http://registry.npmjs.com/cross-env

crossenv

"time": {
  "modified": "2017-08-02T17:51:51.323Z",
  "created": "2017-07-19T04:21:00.066Z",
  "5.0.0-beta.0": "2017-07-19T04:21:00.066Z",
  "5.0.1": "2017-07-19T04:29:03.954Z",
  "5.0.2": "2017-07-19T04:48:44.682Z",
  "5.0.3": "2017-07-19T04:51:57.360Z",
  "5.0.4": "2017-07-19T04:59:01.817Z",
  "5.0.5": "2017-07-19T05:00:21.000Z",
  "6.0.0": "2017-07-19T05:05:01.122Z",
  "6.0.1": "2017-07-19T05:08:46.101Z",
  "6.0.2": "2017-07-19T05:09:38.045Z",
  "6.0.3": "2017-07-19T05:13:25.082Z",
  "6.0.4": "2017-07-19T05:19:26.179Z",
  "6.0.5": "2017-07-19T05:22:10.853Z",
  "6.0.6": "2017-07-19T05:23:51.530Z",
  "6.0.7": "2017-07-19T06:32:58.946Z",
  "6.1.1": "2017-07-19T06:49:52.698Z",
  "0.0.1-security": "2017-08-01T15:18:40.480Z",
  "1.0.0": "2017-08-01T23:02:20.143Z",
  "1.0.1": "2017-08-01T23:04:34.345Z",
  "0.0.2-security": "2017-08-02T17:51:51.323Z"
}

cross-env

"time": {
  "modified": "2018-02-09T03:33:48.390Z",
  "created": "2015-10-01T23:19:27.453Z",
  "1.0.0": "2015-10-01T23:19:27.453Z",
  "1.0.1": "2015-10-01T23:21:22.614Z",
  "1.0.2": "2015-11-11T17:59:13.769Z",
  "1.0.3": "2015-11-11T18:06:27.921Z",
  "1.0.4": "2015-11-12T04:43:44.960Z",
  "1.0.5": "2015-11-28T00:08:43.483Z",
  "1.0.6": "2015-12-25T14:24:39.795Z",
  "1.0.7": "2016-01-03T15:08:15.687Z",
  "1.0.8": "2016-05-24T04:03:50.508Z",
  "2.0.0": "2016-07-13T13:13:29.016Z",
  "2.0.1": "2016-08-29T15:53:22.671Z",
  "3.0.0": "2016-09-24T15:57:49.893Z",
  "3.1.0": "2016-10-04T17:12:38.918Z",
  "3.1.1": "2016-10-04T18:01:38.972Z",
  "3.1.2": "2016-10-08T14:19:48.594Z",
  "3.1.3": "2016-10-15T07:29:35.216Z",
  "3.1.4": "2017-01-03T04:15:04.127Z",
  "3.2.0": "2017-03-04T15:24:55.509Z",
  "3.2.1": "2017-03-04T15:59:00.089Z",
  "3.2.2": "2017-03-04T16:13:55.420Z",
  "3.2.3": "2017-03-04T16:44:27.226Z",
  "3.2.4": "2017-03-14T16:24:01.735Z",
  "4.0.0-beta.0": "2017-03-27T01:51:04.557Z",
  "4.0.0": "2017-03-31T02:07:49.386Z",
  "5.0.0-beta.0": "2017-04-18T22:23:44.244Z",
  "5.0.0": "2017-05-11T17:11:57.532Z",
  "5.0.1": "2017-06-08T02:25:45.854Z",
  "5.0.2": "2017-08-01T15:55:40.312Z",
  "5.0.3": "2017-08-03T14:03:10.102Z",
  "5.0.4": "2017-08-06T09:53:45.362Z",
  "5.0.5": "2017-08-08T19:46:32.639Z",
  "5.1.0": "2017-10-16T16:53:17.200Z",
  "5.1.1": "2017-10-27T15:41:23.519Z",
  "5.1.2": "2017-12-21T18:39:35.395Z",
  "5.1.3": "2017-12-21T23:01:37.789Z"
}
chestercodes
  • 169
  • 1
  • 2
  • 14
  • You hoping the attacker drops in and confirms? =) Since it’s not possible to publish over npm versions, they might have been revisions of the package. Hard to tell now without asking npm staff. – Ry- Feb 09 '18 at 10:23
  • This question is actually a honeypot :) They could publish the same versions crossenv@1.0.0 to mimick cross-env@1.0.0 etc I'm confused why they didn't do this and instead tried to push for future ones. I'm aware there probably won't be an answer, just wondering if SO has any ideas. – chestercodes Feb 09 '18 at 10:30
  • Looking at [another of the packages](http://registry.npmjs.com/cross-env.js) it seems that they didn't do this for the other 39 packages in the attack so i think it was just an outlier. – chestercodes Feb 09 '18 at 10:47

0 Answers0