Attackers flooded the npm open source package repository with fake packages, causing a temporary denial of service (DoS) attack.
Jossef Harush Kadouri of Checkmarx said in a report published last week that “attackers created malicious websites and published empty packages containing links to those malicious websites to open source We’re leveraging our reputation in the ecosystem’s search engines.”
“This attack caused a denial of service (DoS), destabilizing NPM and causing sporadic ‘service unavailable’ errors. ”
Similar campaigns were recently observed spreading phishing links, but the latest wave pushed the number of package versions to 1.42 million, a dramatic drop from about 800,000 packages released on npm. Increased.
This attack method takes advantage of the fact that open source repositories rank highly in search engine results by creating malicious websites and creating empty README.md files containing links to those sites. Upload the npm module.
“Since the open source ecosystem has a high reputation in search engines, new open source packages and their descriptions will inherit this reputation and will be well indexed by search engines, so for unsuspecting users It makes you stand out more,” explains Harush Kadouri.
Due to the automation of the entire process, NPM experienced intermittent stability issues towards the end of March 2023 due to the load created by publishing a large number of packages.
Checkmarx notes that given the potential for multiple actors behind the activity, the ultimate goal is to infect the victim’s system with malware such as RedLine Stealer, Glupteba, SmokeLoader and cryptocurrency miners. I’m here.
Learn How to Secure Your Identity Perimeter – A Proven Strategy
Improve your business security in our upcoming expert-led cybersecurity webinar: Exploring Identity Perimeter Strategies!
Don’t miss it – secure your seat!
Other links lead users to a series of intermediate pages and eventually to legitimate e-commerce sites like AliExpress using referral IDs to profit when victims make purchases on the platform. . The third category is to invite Russian users to Telegram channels dedicated to cryptocurrencies.
“Combatting threat actors polluting the software supply chain ecosystem remains difficult as attackers constantly adapt and surprise the industry with unexpected new techniques,” said Harush Kadouri. I’m here.
To prevent such automated campaigns, Checmarx recommends that npm incorporate anti-bot technology when creating user accounts.
