Malicious npm packages target Azure developers to steal personal data

A “large scale” attack is targeting Microsoft Azure developers through malicious npm packages. 

On Wednesday, cybersecurity researchers from JFrog said that hundreds of malicious packages have been identified, created to steal valuable personally identifiable information (PII) from developers. 

According to researchers Andrey Polkovnychenko and Shachar Menashe, the repositories were first detected on March 21 and steadily grew from roughly 50 malicious npm packages to over 200 in a matter of days.

The miscreants responsible for the npm repositories have developed an automated script that targets the @azure npm scope, alongside @azure-rest, @azure-tests, @azure-tools, and @cadl-lang. 

The script is responsible for creating accounts and uploading the npm sets, which include container services, a health bot, testers, and storage packages. 

JFrog says that typosquatting has been used to try and dupe developers into downloading the files. At the time of writing, these packages contained information stealer malware. 

Typosquatting is a form of phishing in which small changes are made to an email address, file, or website address to mimic a legitimate service or content. For example, an attacker could target users of “” by registering a domain name with “” — and by replacing a single letter, they hope that victims do

Read More: