DevSecOps, Malware, Vulnerability Management

NPM repository flooded with 15,000 phishing packages

TikTok logo

The battle against threat actors targeting the open-source ecosystem continues, with researchers observing a sudden surge of over 15,000 phishing packages flooding NPM, the world's largest free software registry.

The malicious packages were created using an automated process to distribute links to phishing campaigns across a few hours between Feb. 20 and 21. It was carried out through multiple user accounts, making it difficult for security teams to identify and remove packages quickly, Checkmarx researcher Yehuda Gelb noted in a Tuesday blog post.  

A large number of corrupted packages use names related to game cheats, free resources, and social media platforms, such as "free-tiktok-followers" and "free-xbox-codes," to entice users to click the links and direct them to multiple well-designed phishing webpages.  

Upon further investigation of the phishing websites, the Checkmarx team found some directed users to eCommerce sites with referral IDS, including AliExpress, one of the world's largest online retail platforms.

"Like many other retail websites, AliExpress offers a referral program that rewards members for referring new customers to the platform. If the threat actors refer their victims to AliExpress and they make a purchase, the threat actors' accounts will receive a referral reward in the form of a coupon or store credit," Geib explained. "This highlights the potential financial gain for threat actors who engage in phishing campaigns like this one." 

In this case, while the consequences of the attacks may not appear as severe as some other open source vulnerabilities, Geib told SC Media that this tactic could easily be adapted to cause significant harm in the future.  

"For example, an attacker could deceive a victim into visiting a site that installs ransomware on their computer or steals sensitive information," Geib said.  

In addition, he highlighted the use of automation and the effort to create many user accounts to conceal the scale of the attack, saying it shows "the sophistication and determination of these attackers, who were willing to invest significant resources in order to carry out this campaign." 

Attackers have constantly invested in automation to quickly grow their reach and impact. In April last year, Checkmarx detailed the novel techniques a threat actor called RED-LILI used to publish malicious NPM packages from automatically created user accounts.  

In December last year, researchers from Checkmarx and Illustria found 144,000 malicious packages published to NuGet, NPM, and Pypi using automation to distribute phishing links. Interestingly, Geib said the threat actor behind the Feb. 20 and 21 attacks appears to be the same as this spam attack detected in December.   

"We believe it is the same attacker because of their use of similar tactics, including the similar pattern of package names and a similar method of monetization," Geib explained.  

Roger Grimes, a defense evangelist at KnowBe4, said these overt attempts to spam an open source ecosystem do not bother him as much as those attempting to blend in.  

"While being flooded with spam is never good, it gets immediately noticed and mitigated. It's harder for open source projects to spot and stop rare one-offs," he said.  

However, Geib underscored the importance of understanding the recent spam attack on the NPM platform as it highlights the growing trend of attackers exploiting the trust of open source ecosystems, and he expects this trend to continue. 

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.