Hackers Flood NPMs with Bogus Packets Causing DoS Attacks
Threat actors flood the npm open source package repository with bogus packages resulting in even brief denial-of-service (DoS) attacks.
“Threat actors create malicious websites and publish empty packages with links to the malicious websites, taking advantage of the open source ecosystem’s good reputation in search engines,” Jossef Perluh Kadouri of Checkmarx said in a report published last week.
“The attack caused a denial-of-service (DoS) that left NPM unstable with sporadic ‘Service Unavailable’ errors.”
While similar campaigns were recently observed spreading phishing links, the latest wave pushed the version number of packages to 1.42 million, a dramatic increase from the estimated 800,000 packages released on npm.
This attack technique takes advantage of the fact that open source repositories rank higher in search engine results to create a malicious website and upload an empty npm module with a link to the site in the README.md file.
“Since the open source ecosystem is very well known in search engines, each new open source package and its description inherits this good reputation and becomes well indexed in search engines, making it more visible to unsuspecting users,” explains Haruh Kadouri.
Given that the entire process is automated, the load created by publishing multiple packages caused NPM to encounter occasional stability issues towards the end of March 2023.
Checkmarx points out that if there are multiple actors behind the activity, the end goal is to infect the victim’s system with malware such as RedLine Stealer, Glupteba, SmokeLoader, and cryptocurrency miner.
Learn to Secure Identity Perimeter – A Proven Strategy
Improve your business security with our upcoming cybersecurity webinar led by our experts: Explore the Identity Perimeter strategy!
Other links take users through a series of intermediate pages that ultimately lead to legitimate e-commerce sites such as AliExpress with referral ID, giving them an advantage when victims make purchases on the platform. The third category requires Russian users to join Telegram channels that specialize in cryptocurrencies.
“The battle against threat actors who poison our software supply chain ecosystem continues to be challenging, as attackers continue to adapt and surprise the industry with new and unexpected techniques,” said Mr.
To prevent such automated campaigns, Checmarx recommends that npm incorporate anti-bot techniques during user account creation.