Npm Packages Used to Distribute Phishing Links

Written by

Threat actors have been observed uploading over 15,000 spam packages to the npm open-source JavaScript repository from multiple user accounts within hours.

The claims come from JavaScript developer Jesse Mitchell, who posted about them on Twitter on Tuesday.

"I've been noticing a spam attack on npm. Tens of thousands of packages have been flooding the registry and occupying the front page," Mitchell wrote.

The findings were then further analyzed by Checkmarx cybersecurity expert Yehuda Gelb and discussed in an advisory published on Tuesday.

"Further investigation uncovered a recurring attack method, in which cyber attackers utilize spamming techniques to flood the open-source ecosystem with packages that include links to phishing campaigns in their readme.md files," Gelb explained.

The security researcher said that the malicious packages were created using automated processes that also auto-generated project descriptions and names resembling one another.

"The packages appeared to contain the very same automation code used to generate these packages, probably uploaded by mistake by the attacker," reads the Checkmarx advisory.

"The generating scripts also include valid credentials used by the attacker in the attack flow."

According to Gelb, the threat actors behind this campaign referred to retail websites using referral IDs in a bid to profit from the referral rewards they earned.

"While investigating the phishing websites, we noticed that some of them redirected to eCommerce websites with referral IDs," wrote the security researcher. 

"This highlights the potential financial gain for threat actors who engage in phishing campaigns like this."

Gelb also said the attacker behind this malicious campaign appears to be the same as a previous spam attack Checkmarx detected in December 2022.

"The battle against threat actors poisoning our software supply chain ecosystem continues to be a challenging one, as attackers constantly adapt and surprise the industry with new and unexpected techniques," Gelb said.

"By working together, we can stay one step ahead of attackers and keep the ecosystem safe."

The Checkmarx advisory comes weeks after ReversingLabs spotted a malicious package on npm using typosquatting techniques.

What’s hot on Infosecurity Magazine?