NPM Open Source Package Repository Flooded with Bogus Packages

Recently, the npm open source package repository for Node.js was flooded with bogus packages that even resulted in a denial-of-service (DoS) attack. According to a report published by Checkmarx, threat actors created malicious websites and published empty packages with links to those websites to take advantage of open-source ecosystems’ good reputation on search engines.

This attack technique leverages the fact that open-source repositories are ranked higher on search engine results to create rogue websites and upload empty npm modules with links to those sites in the README.md files. As a result, the attacks caused a denial-of-service (DoS) that made NPM unstable with sporadic ‘Service Unavailable’ errors. The attack flooded the package repository with approximately 1.42 million package versions, a dramatic uptick from the approximate 800,000 packages released on npm.

The end goal of these malicious activities is to infect the victim’s system with malware such as RedLine Stealer, Glupteba, SmokeLoader, and cryptocurrency miners. In addition, some of the links take users through a series of intermediate pages that ultimately lead to legitimate e-commerce sites like AliExpress with referral IDs, earning the actors a profit when the victim makes a purchase on the platform. A third category entails inviting Russian users to join a Telegram channel that specializes in cryptocurrency.

One of the reasons why these attacks are successful is that open source ecosystems are highly reputed on search engines. Any new open-source packages and their descriptions inherit this good reputation and become well-indexed on search engines, making them more visible to unsuspecting users. Since the whole process is automated, the load created by publishing numerous packages led to NPM intermittently experiencing stability issues towards the end of March 2023.

To prevent such automated campaigns, Checkmarx recommends that npm incorporates anti-bot techniques during user account creation. However, the battle against threat actors poisoning our software supply chain ecosystem continues to be challenging, as attackers constantly adapt and surprise the industry with new and unexpected techniques.