Flood of malicious packages results in NPM registry DoS
Malicious package on NPM pointing to a site serving malware (Source: Checkmarx)
“The unstoppable load created by those automated scripts made NPM unstable with sporadic “Service Unavailable” errors. I can witness in the past week it happened to me and my colleagues many times,” says Jossef Harush Kadouri, head of software supply chain security at Checkmarx.
The malicious schemes
As documented by Kadouri, attackers misuse NPM to:
- Perform SEO poisoning for malware-delivery campaigns
- Pull off spam campaigns
- Power crypto scam campaigns
- Carry out phishing campaings
Earlier this year, Checkmarx spotted a flash attack involving multiple user accounts publishing over 15,000 phishing packages in mere hours, and found that such “attacks” happen often.
“As long as the name is untaken, they can publish an unlimited number of packages [on NPM],” he explains.
“Typically, the number of package versions released on NPM is approximately 800,000. However, in the previous month, the figure exceeded 1.4 million due to the high volume of spam campaigns.”
The process of creating the packages is automated, and the packages usually only contain a readme file.
Depending on the attackers’ goal, the packages/readme files contain links to phishing pages, retail websites using referral IDs, links to custom/spoofed websites offering malware masquerading as game cheats, free resources, how-to guides on gaining more TikTok followers, etc.
Preventing NPM DoS
NPM’s good reputation with search engines allows these malicious packages to come up high on the list of results when users search for specific terms – an added bonus.
Unfortunately for NPM’s operators, these occasional floods of malicious packages can also overload NPM, meaning that users can’t occasionaly access it when they need it.
“[In my honest opinion,] NPM should apply anti-bot techniques specifically in the flow of user creation. That might help prevent such automated campaigns,” Kadouri advised.