In an ongoing attack on the open source ecosystem, over 15,000 spam packages flooded npm repositories trying to distribute phishing links.
“The packages were created using an automated process, and the project descriptions and auto-generated names were very similar to each other,” Checkmarx researcher Yehuda Gelb said in a report Tuesday. I’m here.
“The attackers used referral IDs to browse retail websites and profit from the referral rewards they earned.”
The modus operandi involved polluting the registry with malicious packages containing links to phishing campaigns in their README.md files, reminiscent of a similar campaign published by a software supply chain security firm in December 2022. increase.
The fake modules used packages named ‘free-tiktok-followers’, ‘free-xbox-codes’ and ‘instagram-followers-free’ to masquerade as cheats and free resources.
The ultimate goal of this operation is to trick users into downloading packages and clicking links to phishing sites with false promises of more followers on social media platforms.
“The deceptive webpages are well-designed and in some cases even include fake interactive chats in which users appear to be receiving game cheats or displaying promised followers.” explained Gelb.
These websites encourage victims to complete surveys, paving the way for additional surveys or redirecting them to legitimate e-commerce portals like AliExpress.
The packages were said to have been uploaded to npm from multiple user accounts within hours of February 20-21, 2023, using a Python script that automated the entire process.
Additionally, this Python script is also designed to add a link to an npm package published on a WordPress website operated by a threat actor claiming to provide cheats for Family Island.
This is achieved by using the selenium Python package to interact with the website and make the necessary changes.
Overall, the use of automation allowed the attackers to publish a large number of packages in a short amount of time. Not to mention creating multiple user accounts for her to hide the scale of the attack.
“This shows the sophistication and determination of these actors who were willing to invest significant resources to carry out this campaign,” said Gelb.
The findings once again highlight the challenges in securing the software supply chain as attackers continue to adapt to “new and unexpected techniques.”
