Attackers Flood NPM Repository with Over 15,000 Spam Packages Containing Phishing Links

Feb 22, 2023Ravie LakshmananOpen Source / Supply Chain Attack

In what’s a continuing assault on the open source ecosystem, over 15,000 spam packages have flooded the npm repository in an attempt to distribute phishing links.

“The packages were created using automated processes, with project descriptions and auto-generated names that closely resembled one another,” Checkmarx researcher Yehuda Gelb said in a Tuesday report.

“The attackers referred to retail websites using referral IDs, thus profiting from the referral rewards they earned.”

The modus operandi involves poisoning the registry with rogue packages that include links to phishing campaigns in their README.md files, evocative of a similar campaign the software supply chain security firm exposed in December 2022.

The fake modules masqueraded as cheats and free resources, with some packages named as “free-tiktok-followers,” “free-xbox-codes,” and “instagram-followers-free.”

The ultimate goal of the operation is to entice users into downloading the packages and clicking on the links to the phishing sites with bogus promises of increased followers on social media platforms.

“The deceptive web pages are well-designed and, in some cases, even include fake interactive chats that appear to show users receiving the game cheats or followers they were promised,” Gelb explained.

The websites urge victims to fill out surveys, which then pave the way for additional surveys or, alternatively, redirect them to legitimate e-commerce portals like AliExpress.

The packages are said to have been uploaded to npm from multiple user accounts within hours between February 20 and 21, 2023, using a Python script that automates the whole process.

What’s more, the Python script is also engineered to append links to the published npm packages on WordPress websites operated by the threat actor that claim to offer Family Island cheats.

This is achieved by using the selenium Python package to interact with the websites and make the necessary modifications.

In all, the use of automation allowed the adversary to publish a large number of packages in a short span of time, not to mention create several user accounts to conceal the scale of the attack.

“This shows the sophistication and determination of these attackers, who were willing to invest significant resources in order to carry out this campaign,” Gelb said.

The findings once again demonstrate the challenges in securing the software supply chain, as threat actors continue to adapt with “new and unexpected techniques.”