The battle against threat actors targeting open-source ecosystems continues as security researchers uncover thousands of spam packages flooding the NPM repository. These packages were uploaded to the repository in an attempt to distribute phishing links.
What happened?
Researchers at Checkmarx came across a malicious campaign while investigating an anomaly in the NPM ecosystem on the 20th of February.
- They found that cyber miscreants dropped over 15,000 npm modules via multiple user accounts within hours.
- They reportedly used a Python script that automated the process of generating names and project descriptions that closely resembled one another.
- The bogus modules had names like "free-tiktok-followers," "free-xbox-codes," and "instagram-followers-free" to bait unsuspecting users.
Modus operandi
The malicious packages included links to phishing campaigns in their README.md files with tempting descriptions that lured users.
- Users were assured of game cheats, free resources, and likes on social media platforms including TikTok and Instagram.
- In some cases, the deceptive pages included fake interactive chats that appear to show users receiving the game cheats or followers they were promised.
- Some of these phishing sites included built-in flow that pretended to process data and generate the promised gifts.
- However, this process failed most of the time and victims were asked to respond to a survey that either led to additional surveys or legitimate e-Commerce sites.
- Some of these fake websites appeared to redirect users to e-commerce sites with referral IDs that belonged to threat actors.
- If the victims made an online purchase through the site, then a referral reward in the form of a coupon or store credit was sent to the threat actors’ accounts.
A glance at the growing trend of automated attacks
This is not the first time that attackers have been found using automation to poison the NPM ecosystem. There were similar incidents observed in the previous year.
- A threat actor named CuteBoi had used automation to publish more than 1200 npm packages which included the ability to bypass the 2FA challenge. These packages were uploaded to the repository to launch cryptomining attacks.
- In another incident, a threat actor called RED-LILI used automated programs to publish malicious NPM packages from different user accounts.
Rogue packages a rising threat
In recent years, there has been a significant rise in malicious code package attacks that can compromise an organization’s data, disrupt its operations, and damage its reputation.
- Last year, the number of malicious code packages rose by 633%, the CheckPoint researchers revealed.
- Repositories of NPM and PyPI remain the prime targets of malicious packages, as malicious codes can be easily triggered during package installation.
Conclusion
As attackers continue to adopt new tactics to poison software supply chain ecosystems, it is crucial for organizations to verify the legitimacy of all source code acquired from third parties or open-source platforms. Performing periodic audits of code packages and validating the correct versions help organizations in preventing attacks arising from malicious packages.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/22d5_shutterstock_2249995153.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/c38e_shutterstock_480520900.jpg)
