Npm Repository Flooded with over 15,000 Referral Packages
Checkmarx analysts noticed that the npm repository was flooded with over 15,000 packages with junk links. The attackers used the referral links of various trading sites to profit from their referral programs.
Let me remind you that we also wrote that Compromised npm Packages Use Cryptocurrency Exchanges, and also that Hackers Stole the Credentials of 100,000 npm Users.This attack reminds of another campaign uncovered in December 2022 targeting the NuGet, PyPi and npm ecosystems. Now, just like last year, attackers include their links in README.md files.
Fake packages are disguised as various cheats and free resources. For example, some promise free social media followers or Xbox codes: free-tiktok-followers and free-xbox-codes. The main task of attackers is to encourage users to download these packages and follow links to phishing or referral sites.
Typically, these sites encourage victims to complete surveys or redirect them to legitimate e-commerce sites such as AliExpress.
According to Checkmarx, a new wave of such packages was uploaded to npm between February 20 and 21, 2023, on behalf of several accounts. At the same time, the attackers used a Python script that automated the entire process.
In addition, the script was designed to add links to published npm packages to WordPress sites controlled by attackers. These sites allegedly offer cheats for Family Island.
In general, the use of automation allowed the attackers to publish a large number of packages in a short period of time, not to mention the creation of multiple accounts to cover up the scope of the attack.