Security experts have urged npm registries to deploy anti-bot technology after revealing open source repositories have been hit by intermittent denial of service (DoS) outages over the past month .
Npm claims to be the world’s largest software registry, with over 2 million JavaScript packages available for download.
According to Jossef Harush Kadouri, head of software supply chain security at Checkmarx, the company has been hit by spam campaigns in the past, but the past four weeks have been “the worst we’ve ever seen.”
For more information on npm registry threats, see Hundreds of malicious packages found in npm registries.
“Apparently, attackers have found the unverified open source ecosystem to be an easy target to carry out SEO poisoning for various malicious campaigns. You can publish as many packages as you want,” he explained in a blog post yesterday.
“Typically, the number of package versions released on npm is around 800,000. But last month, that number exceeded 1.4 million.”
Many of these are “empty” packages whose sole purpose is to link to malicious websites created by the attackers for their own purposes, Kadouri said.
He added that open-source registries like npm are highly ranked in search engines, so all new packages appear higher in the index and are more visible to users.
“The unstoppable load created by these automated scripts destabilized npm with sporadic ‘service unavailable’ errors. You can see what happened to me and my colleagues many times over the last week.
“We have mapped several campaigns, which we cannot confirm at this time, but we believe they are all likely operated by the same actor.”
Kadouri urged npm to use anti-bot technology to curb these automated campaigns, especially the new user registration process.
“The battle against threat actors polluting our software supply chain ecosystem continues to be challenging. Attackers are constantly adapting and surprising the industry with unexpected new techniques. from,” he concludes.
