Npm Repository Flooded with over 15,000 Referral Packages

Checkmarx analysts noticed that the npm repository was flooded with over 15,000 packages with junk links. The attackers used the referral links of various trading sites to profit from their referral programs.

This attack reminds of another campaign uncovered in December 2022 targeting the NuGet, PyPi and npm ecosystems. Now, just like last year, attackers include their links in README.md files.

Fake packages are disguised as various cheats and free resources. For example, some promise free social media followers or Xbox codes: free-tiktok-followers and free-xbox-codes. The main task of attackers is to encourage users to download these packages and follow links to phishing or referral sites.

Typically, these sites encourage victims to complete surveys or redirect them to legitimate e-commerce sites such as AliExpress.

According to Checkmarx, a new wave of such packages was uploaded to npm between February 20 and 21, 2023, on behalf of several accounts. At the same time, the attackers used a Python script that automated the entire process.

In addition, the script was designed to add links to published npm packages to WordPress sites controlled by attackers. These sites allegedly offer cheats for Family Island.
In general, the use of automation allowed the attackers to publish a large number of packages in a short period of time, not to mention the creation of multiple accounts to cover up the scope of the attack.