Ua hoʻopaʻa ʻia kahi hoʻouka ʻana i nā mea hoʻohana o ka papa kuhikuhi NPM, ʻo ia ka hopena, ma Pepeluali 20, ʻoi aku ma mua o 15 tausani mau pūʻulu i waiho ʻia i loko o ka waihona NPM, i loko o nā faila README kahi i loaʻa ai nā loulou i nā pūnaewele phishing a i ʻole nā loulou kuhikuhi. ua uku ʻia nā uku aliʻi. Ua hōʻike ʻia ka loiloi o nā pūʻolo he 190 phishing kūʻokoʻa a i ʻole nā loulou hoʻolaha e uhi ana i 31 mau kikowaena.
Ua koho ʻia nā inoa pūʻulu e huki i ka hoihoi o ka poʻe kamaʻāina, no ka laʻana, "free-tiktok-followers" "free-xbox-codes", "instagram-followers-free", etc. Ua hana ʻia ka helu ʻana e hoʻopiha i ka papa inoa o nā mea hou ma ka ʻaoʻao NPM nui me nā pūʻolo spam. ʻO ka wehewehe ʻana o nā pūʻolo i loaʻa nā loulou e hoʻohiki ana i nā hāʻawi manuahi, nā makana, nā hoʻopunipuni pāʻani, a me nā lawelawe manuahi e loaʻa ai nā mea hahai a makemake i nā ʻoihana pūnaewele e like me TikTok a me Instagram. ʻAʻole kēia ka hoʻouka kaua mua; i ka mahina ʻo Dekemaba, ua paʻi ʻia ka 144 tausani mau pūʻulu spam ma nā papa kuhikuhi NuGet, NPM a me PyPi.
Hoʻokumu ʻia nā ʻike o nā pūʻolo me ka hoʻohana ʻana i kahi palapala python, ka mea i waiho ʻia i loko o nā pūʻolo e kahi mākaʻikaʻi a hoʻokomo i nā hōʻoia hana i hoʻohana ʻia i ka wā o ka hoʻouka ʻana. Ua paʻi ʻia nā pūʻolo ma lalo o nā moʻolelo like ʻole me ka hoʻohana ʻana i nā ala e paʻakikī ai ka wehe ʻana i ke ala a ʻike koke i nā pūʻolo pilikia.
Ma waho aʻe o nā hana hoʻopunipuni, ua ʻike ʻia kekahi mau hoʻāʻo e hoʻopuka i nā pūʻolo hewa i loko o nā waihona NPM a me PyPi:
- Ua loaʻa nā pūʻolo maikaʻi ʻole 451 i loko o ka waihona PyPI, i hoʻokaʻawale ʻia e like me kekahi mau hale waihona puke kaulana e hoʻohana ana i ka typequatting (e hāʻawi ana i nā inoa like ʻole i nā huaʻōlelo pākahi, no ka laʻana, vper ma kahi o vyper, bitcoinnlib ma kahi o bitcoinlib, ccryptofeed ma kahi o cryptofeed, ccxtt ma kahi o ccxt, cryptocompare ma kahi o cryptocompare, seleium ma kahi o selenium, pinstaller ma kahi o pyinstaller, etc.). Hoʻokomo ʻia nā pūʻolo i ka code obfuscated no ka ʻaihue ʻana i nā cryptocurrencies, ka mea i hoʻoholo i ka loaʻa ʻana o nā ID wallet crypto ma ka clipboard a hoʻololi iā lākou i ka ʻeke a ka mea hoʻouka (manaʻo ʻia i ka wā e uku ai, ʻaʻole ʻike ka mea i hoʻopaʻa ʻia ua hoʻololi ʻia ka helu peke ma o ka clipboard. ʻokoʻa). Ua hoʻokō ʻia ka hoʻololi ʻana e kahi mea hoʻohui i kūkulu ʻia i loko o ka polokalamu kele pūnaewele, i hana ʻia ma ka pōʻaiapili o kēlā me kēia ʻaoʻao pūnaewele i nānā ʻia.
- Ua ʻike ʻia kekahi ʻano o nā hale waihona puke HTTP maikaʻi ʻole ma ka waihona PyPI. Loaʻa ka hana ʻino i loko o nā pūʻolo 41 nona nā inoa i koho ʻia me ka hoʻohana ʻana i nā ʻano typequatting a ua like me nā hale waihona puke kaulana (aio5, requestst, ulrlib, urllb, libhttps, piphttps, httpxv2, etc.). Hoʻohālikelike ʻia ka mea hoʻopihapiha e like me ka hana ʻana i nā hale waihona puke HTTP a i kope kope ʻia mai nā hale waihona puke e kū nei, a ua hoʻopiʻi ka wehewehe ʻana e pili ana i nā pono a me nā hoʻohālikelike ʻana me nā hale waihona puke HTTP kūpono. Ua kaupalena ʻia ka hana ʻino i ka hoʻoiho ʻana i nā polokalamu kino ma ka ʻōnaehana a i ʻole ka hōʻiliʻili ʻana a me ka hoʻouna ʻana i nā ʻikepili koʻikoʻi.
- Ua ʻike ʻia ʻo NPM he 16 JavaScript puʻupuʻu (speedte *, trova *, lagra), a me ka hana i haʻi ʻia (hoʻāʻo throughput), aia pū kekahi code no ka mining cryptocurrency me ka ʻike ʻole o ka mea hoʻohana.
- Ua ʻike ʻo NPM i 691 mau pūʻolo hewa. ʻO ka hapa nui o nā pūʻolo pilikia i hoʻohālikelike ʻia he mau papahana Yandex (yandex-logger-sentry, yandex-logger-qloud, yandex-sendsms, etc.) a me nā code no ka hoʻouna ʻana i ka ʻike huna i nā kikowaena waho. Ua manaʻo ʻia ua hoʻāʻo ka poʻe i kau i nā pōʻai e hoʻokō i kā lākou hilinaʻi ponoʻī i ke kūkulu ʻana i nā papahana ma Yandex (ke ʻano o ka hoʻololi ʻana i nā hilinaʻi kūloko). I loko o ka waihona PyPI, ua loaʻa i nā mea noiʻi like nā pūʻolo 49 (reqsystem, httpxfaster, aio6, gorilla2, httpsos, pohttp, a me nā mea ʻē aʻe) me nā code malicious obfuscated e hoʻoiho a hoʻokuʻu i kahi faila hoʻokō mai kahi kikowaena waho.
Source: opennet.ru