Alert: LaughTilYouCry ransomware sabotages npm package (with puns)

In the early hours of April 1, 2022, version 0.4.1 of faxios-complete, the popular npm package used to fetch data from various assorted APIs, experienced a strange new security breach. Users of the promise-based HTTP client quickly discovered that their hard drives had been flooded with dad jokes by the LaughTilYouCry ransomware.

Details of the sabotage

Early investigations suggest that the attack resulted from nested dependencies within faxios-complete. However, the exact origin and inner workings of the malicious dad-joke package remain unclear. The code itself appears to be nothing more than a jumble of puns, which researchers are slowly attempting to make sense of. Several recurring phrases have been seen across multiple hard drives, and are believed to be tied to the origins of this package. If any of the following puns are found on your hard drive, please contact us:

• Why do melons have weddings? Because they cantaloupe!

• I ordered a chicken and an egg from Amazon. I'll let you know.

• What do sprinters eat before a race? Nothing, they fast!

• What concert costs just 45 cents? 50 Cent featuring Nickelback!

• I can't take my dog to the pond anymore because the ducks keep attacking him. That's what I get for buying a pure bread dog.

With more than 17 million downloads a week, this supply chain attack could have far reaching implications. Currently, the only way to fulfill the ransom seems to be laughing at the stereotypically bad jokes and puns. Similar to the pull-my-finger phishing scheme a few years ago, a refusal to laugh blocks any attempts to extract the ransomware.

As more details come in we’ll keep you up to date through the Snyk blog, social media, and application interface. Security researchers currently recommend reverting to the last known secure version of faxios-complete, 0.4.0.

Protecting your applications

The development community relies heavily on open source software to build and maintain their applications. While it’s an incredible resource, it’s nearly impossible for maintainers to catch every vulnerability that can lead to a security incident or breach.

Thankfully, today’s announcement was only an April Fools' joke — your hard drives are safe from the scourge of horrible puns (for the moment at least).

The risks, however, remain very real. Whether it’s the peacenotwar library that interrupted node-ipc users or the widespread Log4Shell vulnerability, guarding your application against malware must be a top priority.

However, maintaining security isn’t a challenge you have to face alone. Snykprovides comprehensive, accurate, and timely updates on millions of open source vulnerabilities, allowing you to track potentially malicious packages and receive recommended fixes as soon as possible. As a whole, Snyk’s industry leading security intelligence powers a platform that helps you find and fix vulnerabilities in your code, open source dependencies, containers, and IaC without interrupting your existing development workflows. Start a free trial or book a demo today and see see how Snyk helps you defend against vulnerabilities — whether real or imagined.