NPM again suffers from a flood of malicious packets leading to denial of service
Information was released about a problem that arose in NPM and is that hackers flooded the repository npm open source packages for Node.js with fake packages that even briefly triggered a denial of service (DoS) attack.
Yes well recently similar campaigns have been seen spreading phishing links, the latest wave has brought the number of package versions to 1,42 million, a dramatic increase from the roughly 800,000 packages published on npm.
And is that hackers create malicious websites and post empty packages containing links to these malicious websites, taking advantage of the good reputation of open source ecosystems in search engines, plus the attacks caused a denial of service (DoS) that made NPM unstable with sporadic 'Service Unavailable' errors '».
We've seen spam campaigns in open source ecosystems for the past year, but this month was by far the worst we've seen.
Attackers have apparently found unverified open source ecosystems an easy target to perform SEO poisoning for various malicious campaigns. As long as the name is not taken, they can publish an unlimited number of packages.
Usually the number of package versions released for NPM is around 800*000. However, in the previous month, this figure exceeded 1,4 million due to the high volume of spam campaigns.
The attack technique takes advantage of the fact that open source repositories rank higher in search engine results to create malicious websites and download empty npm modules with links to these sites in README.md files.
In this attack method, cybercriminals create malicious websites and post empty packages with links to these malicious websites. Since open source ecosystems have a high reputation in search engines, all new open source packages and their descriptions inherit this good reputation and index well in search engines, making them more visible to non-users.
Since the entire process is automated, the burden created by releasing many packages led NPM to intermittently experience stability issues towards the end of March 2023. As such, it is stated that the goal of this campaign is to infect the victim with a malicious .exe file.
Among the different techniques used, it is mentioned that in particular a "bait" is used andwhich is basically a package with a “tempting warez description” to the user, making it more likely that victims will search for and land on those npm pages.
From then on, the same user is the one who does everything necessary to get infected, because when you click on the short link, there is a custom website that appears to be legitimate, but is hosted on the hacker's infrastructure and offers a download of warez software.
This downloads a password encrypted zip file which, when extracted, creates an unpadded .exe file size of ~600MB. This technique is used to avoid detection by EDRs.
Another technique used that is mentioned is one that include DLL sideloading, virtualization/sandbox avoidance, disable tools and firewalls, drop tools like Glupteba, RedLine, Smoke Loader, xmrig and more to steal credentials and mine cryptocurrency.
Besides, also it is mentioned that the attackers linked to retail websites like AliExpress using referral IDs created by them, and thus benefited from referral rewards.
The scale of this campaign was significant, as the load caused NPM to become unstable with sporadic "Service Unavailable" errors.
As such, NPM should take action on the matter and put an end to these types of problems that are constantly arising in the repository since it has basically become a "target" for hackers.