During the recent attack on the Open Source, the NPM ecosystem, cybercriminals, were loaded into the repository more than 15 thousand spam-packets for the purpose distribution of phishing links.
“Packages were created using automated processes, with project descriptions and automatically generated names that were very similar to each other. Attackers referred to retail sites using referral identifiers, thus making a profit,” said Jehuda Gelb, Checkmarx researcher in your report February 21. P>
The principle of the attack was in the “register of registry” fraudulent packages that contain links to phishing campaigns in Readme.md files. Checkmarx revealed a similar malicious campaign in December last year.
Fake packages were issued for cheats and free resources, and some were called “Free Tiktok subscribers”, “Free Xbox codes” and “Free Instagram subscribers”, etc.
The ultimate goal of the operation is to encourage naive users to download packages and cross the links to phishing sites using fictitious promises of something. In general, classical social engineering.
“Fictive web pages are well developed, and in some cases they even contain fake interactive chats, which, apparently, demonstrate that users really receive the promised game cheats or subscribers,” Gelb explained.
Fishing links built into the NPM package
Websites urge the victims to fill out special questionnaires, which then lay the way to fill out additional profiles or redirect users to legal portals of electronic commerce, such as Aliexpress.
It is reported that the packages were loaded in the NPM from several accounts for several hours from February 20 to February 21, 2023. The authors of these packages used the Python script, which automates the whole process.
The use of automation allowed the cyberbandites to publish a large number of packages in a short period of time, not to mention the creation of several user accounts to conceal the scope of the attack.
“This shows the sophistication and decisiveness of the attackers who were ready to invest significant resources for this campaign,” concluded Gelb.
This attack demonstrates problems in ensuring the security of the software supply chain. Cybercriminals continue to adapt, using new and very unexpected methods for their attacks.