Open-source ecosystem is under attack by a new spam campaign that flooded the npm repository with over 15,000 fake packages, aimed to distribute phishing links. The modus operandi involves adding links to phishing campaigns in their README.md files, which can be found in some packages masquerading as cheats or free resources such as “free-tiktok-followers,” “free-xbox-codes,” and “instagram-followers-free.” This attack aims to entice users into downloading the packages and clicking on the links to the phishing sites with bogus promises of increased followers on social media platforms. Once the user is redirected to the phishing sites, they are urged to fill out surveys or redirected to legitimate e-commerce portals like AliExpress.
The packages were created using automated processes, with project descriptions and auto-generated names that closely resembled one another, which made it difficult to distinguish the fake from the legitimate ones. The packages were uploaded to npm from multiple user accounts within hours between February 20 and 21, 2023, using a Python script that automates the whole process. What’s more, the Python script is also engineered to append links to the published npm packages on WordPress websites operated by the threat actor that claim to offer Family Island cheats, adding an extra layer of sophistication to this attack.
The threat actors behind this attack referred to retail websites using referral IDs, thus profiting from the referral rewards they earned. The deceptive web pages used in this attack are well-designed and even include fake interactive chats that appear to show users receiving the game cheats or followers they were promised. This new spam campaign demonstrates the challenges in securing the software supply chain, as threat actors continue to adapt with “new and unexpected techniques.”
Security experts warn that this type of attack highlights the importance of vetting packages and their dependencies, even for well-known and widely used libraries and dependencies, as attackers can easily create fake versions that can bypass many security checks. It is recommended that developers use multiple security measures to protect their software supply chains, including code reviews, vulnerability scanning, and penetration testing.