Select Page

In what’s a continuing assault on the open source ecosystem, over 15,000 spam packages have flooded the npm repository in an attempt to distribute phishing links.

“The packages were created using automated processes, with project descriptions and auto-generated names that closely resembled one another,” Checkmarx researcher Yehuda Gelb said in a Tuesday report.

“The attackers referred to retail websites using referral IDs, thus profiting from the referral rewards they earned.”

The modus operandi involves poisoning the registry with rogue packages that include links to phishing campaigns in their files, evocative of a similar campaign the software supply chain security firm exposed in December 2022.

The fake modules masqueraded as cheats and free resources, with some packages named as “free-tiktok-followers,” “free-xbox-codes,” and “instagram-followers-free.”

The ultimate goal of the operation is to entice users into downloading the packages and clicking on the links to the phishing sites with bogus promises of increased followers on social media platforms.

images from Hacker News