Flood of malicious packages results in NPM registry DoS

Attackers are exploiting the good reputation and “openness” of the popular public JavaScript software registry NPM to deliver malware and scams, but are also simultaneously and inadvertently launching DoS attacks against the service.

NPM registry DoS

Malicious package on NPM pointing to a site serving malware (Source: Checkmarx)

“The unstoppable load created by those automated scripts made NPM unstable with sporadic “Service Unavailable” errors. I can witness in the past week it happened to me and my colleagues many times,” says Jossef Harush Kadouri, head of software supply chain security at Checkmarx.

The malicious schemes

As documented by Kadouri, attackers misuse NPM to:

  • Perform SEO poisoning for malware-delivery campaigns
  • Pull off spam campaigns
  • Power crypto scam campaigns
  • Carry out phishing campaings

Earlier this year, Checkmarx spotted a flash attack involving multiple user accounts publishing over 15,000 phishing packages in mere hours, and found that such “attacks” happen often.

“As long as the name is untaken, they can publish an unlimited number of packages [on NPM],” he explains.

“Typically, the number of package versions released on NPM is approximately 800,000. However, in the previous month, the figure exceeded 1.4 million due to the high volume of spam campaigns.”

The process of creating the packages is automated, and the packages usually only contain a readme file.

Depending on the attackers’ goal, the packages/readme files contain links to phishing pages, retail websites using referral IDs, links to custom/spoofed websites offering malware masquerading as game cheats, free resources, how-to guides on gaining more TikTok followers, etc.

Preventing NPM DoS

NPM’s good reputation with search engines allows these malicious packages to come up high on the list of results when users search for specific terms – an added bonus.

Unfortunately for NPM’s operators, these occasional floods of malicious packages can also overload NPM, meaning that users can’t occasionaly access it when they need it.

“[In my honest opinion,] NPM should apply anti-bot techniques specifically in the flow of user creation. That might help prevent such automated campaigns,” Kadouri advised.

Don't miss