An attack on users of the NPM directory was recorded, as a result of which, on February 20, more than 15 thousand packages were placed in the NPM repository, in the README files of which there were links to phishing sites or referral links for which royalties were paid. The analysis of the packages revealed 190 unique phishing or promotional links covering 31 domains.
Package names were chosen to attract the interest of the layman, for example, "free-tiktok-followers" "free-xbox-codes", "instagram-followers-free", etc. The calculation was made to populate the list of recent updates on the main NPM page with spam packages. The descriptions of the packages included links promising free giveaways, gifts, game cheats, and free services to get followers and likes on social networks such as TikTok and Instagram. This is not the first such attack; in December, 144 thousand spam packages were published in the NuGet, NPM and PyPi directories.
The contents of the packages were generated automatically using a python script, which apparently was left in the packages by an oversight and included the working credentials used during the attack. Packages have been published under many different accounts using methods that make it difficult to unravel the trail and quickly identify problematic packages.
In addition to fraudulent activities, several attempts to publish malicious packages have also been identified in the NPM and PyPi repositories:
- 451 malicious packages were found in the PyPI repository, which were disguised as some popular libraries using typesquatting (assigning similar names that differ in individual characters, for example, vper instead of vyper, bitcoinnlib instead of bitcoinlib, ccryptofeed instead of cryptofeed, ccxtt instead of ccxt, cryptocommpare instead of cryptocompare, seleium instead selenium, pinstaller instead of pyinstaller, etc.). The packages included obfuscated code for stealing cryptocurrencies, which determined the presence of crypto-wallet IDs in the clipboard and changed them to the attacker's wallet (it is assumed that when making a payment, the victim will not notice that the wallet number transferred via the clipboard is different). The substitution was carried out by a browser add-on that was performed in the context of each web page viewed.
- A series of malicious HTTP libraries have been identified in the PyPI repository. Malicious activity was found in 41 packages whose names were selected using typesquatting methods and resembled popular libraries (aio5, requestst, ulrlib, urllb, libhttps, piphttps, httpxv2, etc.). The stuffing was styled to look like working HTTP libraries or copied code from existing libraries, and the description made claims about benefits and comparisons with legitimate HTTP libraries. Malicious activity was limited to either downloading malware onto the system or collecting and sending sensitive data.
- NPM identified 16 JavaScript packages (speedte*, trova*, lagra), which, in addition to the declared functionality (throughput testing), also contained code for cryptocurrency mining without the user's knowledge.
- 691 malicious packages were detected in NPM. Most of the problematic packages impersonated Yandex projects (yandex-logger-sentry, yandex-logger-qloud, yandex-sendsms, etc.) and included code for sending confidential information to external servers. serversIt is believed that those who posted the packages were attempting to substitute their own dependencies when building projects in Yandex (a method of substituting internal dependencies). In the PyPI repository, the same researchers found 49 packages (reqsystem, httpxfaster, aio6, gorilla2, httpsos, pohttp, etc.) containing obfuscated malicious code that downloads and runs an executable file from an external server. Server.
Source: opennet.ru
