NuGet, PyPi, and npm ecosystems are the target of a new campaign that has resulted in over 144,000 packages being published by unknown threat actors.
“The packages were part of a new attack vector, with attackers spamming the open source ecosystem with packages containing links to phishing campaigns,” researchers from Checkmarx and Illustria said in a report published Wednesday.
Of the 144,294 phishing-related packages that were detected, 136,258 were published on NuGet, 7,824 on PyPi, and 212 on npm. The offending libraries have since been unlisted or taken down.
Further analysis has revealed that the whole process was automated and that the packages were pushed over a short span of time, with a majority of the usernames following the convention “<a-z><1900-2022>.”
The fake packages themselves claimed to provide hacks, cheats, and free resources in an attempt to trick users into downloading them. The URLs to the rogue phishing pages were embedded in the package description.
images from Hacker News