NPM attack
The news was recently released that an attack on users of the NPM directory was registered, product of which, on February 20, more than 15 thousand packages were placed in the NPM repository, in whose README files there were links to phishing sites or referral links for which royalties were paid.
Parsing the packets revealed 190 promotional or phishing links only ones covering 31 domains.
On Monday, February 20, Checkmarx Labs discovered an anomaly in the NPM ecosystem when we crossed new information with our databases. Package groups had been published in large numbers in the NPM package manager. Further investigation revealed that the packages were part of a new trending attack vector, in which attackers were spamming the open source ecosystem with packages containing links to phishing campaigns. We reported on a similar attack last December.
In this scenario, it appears that automated processes were used to create over 15 packages on NPM and related user accounts. The descriptions of these packages contained links to phishing campaigns. Our team alerted the NPM security team.
Package names were chosen to attract interest e.g., “free-tiktok-followers”, “free-xbox-codes”, “instagram-followers-free”, etc.
The calculation was made to populate the list of recent updates on the NPM home page with spam packages. Package descriptions included links promising freebies, game cheats, and free services to get followers and likes on social media like TikTok and Instagram. This is not the first attack of this type, 144 spam packages were posted to the NuGet, NPM, and PyPi directories in December.
The content of the packages was automatically generated by a python script which was apparently left in the packages by mistake and included the work credentials used in the attack. Packages have been published to many different accounts using methods that make it difficult to unravel the trail and quickly identify problematic packages.
In addition to fraudulent activities, it also several attempts to publish malicious packages have been identified in the NPM and PyPi repositories:
- Malicious packages have been found in the PyPI451 repository that impersonated some popular libraries using typequatting (assigning similar names that differ by individual characters, e.g. vper instead of vyper, bitcoinnlib instead of bitcoinlib, ccryptofeed instead of cryptofeed , ccxtt instead of ccxt, cryptocommpare instead of cryptocompare, seleium instead of selenium, pinstaller instead of pyinstaller, etc.).
- The packets included an obfuscated code to steal cryptocurrency, which determined the presence of crypto wallet identifiers on the clipboard and switched them to the attacker's wallet (it is assumed that when making a payment, the victim will not notice that the wallet number was transferred via clipboard) is different).
- The replacement was carried out by an integrated browser plug-in, which was performed in the context of each web page visited.
- A number of malicious HTTP libraries have been identified in the PyPI repository.
- Malicious activity was found in 41 packages whose names were picked using quatting-like methods and resembled popular libraries (aio5, requestst, ulrlib, urllb, libhttps, piphttps, httpxv2, etc.).
- The padding was designed to look like working HTTP libraries or code copied from existing libraries, and the description claimed benefits and comparisons with legitimate HTTP libraries. The malicious activity was limited to downloading malware onto the system or collecting and sending sensitive data.
- NPM identified 16 JavaScript packages (speedte*, trova*, lagra), which, in addition to the declared functionality (performance test), also contained code for cryptocurrency mining without the user's knowledge.
- NPM identified 691 malicious packages. Most of the problematic packages pretended to be Yandex projects (yandex-logger-sentry, yandex-logger-qloud, yandex-sendsms, etc.) and included code to send sensitive information to external servers. It is assumed that those who put the packages tried to achieve their own dependency substitution when building projects in Yandex (internal dependency substitution method).
In the PyPI repository, the same researchers found 49 packages (reqsystem, httpxfaster, aio6, gorilla2, httpsos, pohttp, etc.) with obfuscated malicious code that downloads and runs an executable file from an external server.
Finally If you are interested in knowing more about it, you can check the details in the following link.