Threat actors continue to poison the NPM repository for open-source JavaScript code with malware aimed at unwary application developers.
But the most recent campaigns were so severe, they caused a distributed denial of service attack that periodically blocked access to the site.
Researchers at Checkmarx say a hacker — or hackers — recently created a series of operations against NPM, including a malware infection campaign, a referral scam campaign linked to the online shopping site AliExpress, and a crypto scam campaign targeting Russian users on Telegram.
The threat actors are creating malicious websites hosting so-called tools available on NPM. These sites can be ranked high by search engines because they trust the reputation of open-source repositories. What the attackers actually put in the NPM repository is a readme file that links to the bad website. Unsuspecting developers who click on the link and download the promised code are instead infected with malware from a password-encrypted zip file.
(An example of a malicious package found on a search engine. Source: Checkmarx)
Depending on the campaign, that file can lead to a number of actions, including DLL side-loading, virtualization/sandbox evasion, the ability to disable tools and firewalls, the dropping of tools such as Glupteba, RedLine, Smoke Loader, xmrig and more to steal credentials and to mine cryptocurrency.
Related content: Malicious modules found in NPM
“We mapped several campaigns,” said Checkmarx, “and we believe they are all likely operated by the same threat actor, although we can’t confirm that at this time. It’s possible that there are several threat actors, each operating a campaign individually.”
“We’ve seen spam campaigns in the open-source ecosystems in the past year, but this month was by far the worst one we’ve seen yet,” say the researchers.
“Apparently, attackers found the unvetted open-source ecosystems as an easy target to perform SEO poisoning for various malicious campaigns. As long as the name is untaken, they can publish an unlimited number of packages.
“Typically, the number of package versions released on NPM is approximately 800,000. However, in the previous month, the figure exceeded 1.4 million due to the high volume of spam campaigns.”
NPM should apply anti-bot techniques specifically in the flow of user creation, says the report, which might help prevent such automated campaigns.
Related content: A scanner for developers
In addition, anyone downloading code from an open-source repository such as NPM, PyPI, GitHub, and others has to be careful about downloading and installing anything. That includes checking the reputation of the developer or the code with colleagues or a security provider, being wary of packages that might have almost identical names to the module you’re looking for (known as typosquatting), and scanning code for vulnerabilities.
