Open in app

Sign in

Write

Sign in

Stopping Malicious Packages at their Source

Yehuda Gelb
checkmarx-security
Published in
6 min readJul 8, 2023

--

  • In late March 2023, a Malicious campaign targeting the NPM ecosystem occurred, causing a flood of spam, SEO poisoning, and malware infection.
  • The attacks caused a Denial of Service (DoS) that made NPM unstable with sporadic “Service Unavailable” errors.
  • The campaigns included a malware infection campaign, a referral scam campaign linked to AliExpress, and a crypto scam campaign targeting Russian users on Telegram.
  • In early May 2023, barely a month later, the same user accounts were used to flood NPM with thousands of additional spam packages.
  • This attack on NPM highlights the fact that we are not only dealing with a package problem but an adversary problem, underscoring the need for effective strategies for dealing with malicious packages at their source.

During the past year and a half, we’ve seen various spam campaigns targeting the open-source ecosystems, it peaked in late March when we reported on an alarming and disruptive influx of malicious campaigns flooding NPM. From SEO poisoning to malware infections and referral scams, the good reputation of open-source ecosystems was exploited by threat actors, leading to “Service Unavailable” errors due to excessive load.

“Service Unavailable” errors reported globally by frustrated users

Just a month after that spam campaign which flooded NPM with over 1.4 million package versions, the same user accounts linked to these activities resurfaced.

Despite the chaos caused by the initial attack, these accounts were never taken down, thereby allowing them to continue to publish packages with malicious intent. Barely a month later, in early May, NPM was again bombarded with thousands of additional spam packages from these very accounts.

Spam attack on NPM in March 2023

This recurrence underscores a security loophole. While the attention has been majorly on the packages, the real perpetrators behind the scenes, the attackers, were left untouched. The continued presence of these malicious user accounts underlines a crucial, overlooked point in our battle against these threat actors.

Pyramid of pain

Applying the framework of the Pyramid of Pain in this current situation (a model that provides a visual representation of the discomfort a threat actor experiences when their malicious activities are obstructed), The package names that the malicious actors leverage form the base of the pyramid. These are relatively easy to change and pose only a minor inconvenience to the attacker when removed. However, moving higher up the pyramid, the ‘pain’ or difficulty the threat actors face increases significantly. When we reach the level of ‘contributor accounts’, where we currently find ourselves, the difficulty for threat actors to adapt and continue their operations substantially heightens.

Eliminating these malicious accounts is akin to cutting off the head of the hydra, stopping multiple potential threats at once. This action is far more impactful compared to merely tackling individual package names, which can be likened to pruning the hydra’s heads — a temporary solution at best, as the threat merely regenerates. By striking at a higher level in the Pyramid of Pain, we effectively increase the cost, time, and resources required for the attackers to rebound, effectively slowing their operations and providing us with a more robust defense.

Similar techniques used across campaigns.

Spam Campaigns

The concept is simple. Each package contains nothing but a readme file. This readme file is displayed on the package’s page and contains a unique, short link to another website with the context of the original npm package.

Malware Infection Campaign

This campaign’s goal is to infect the victim with a malicious .exe file. The bait is tempting illegal warez description. Most likely the victims are going to search and land on those npm pages.

One example among many

Upon clicking on the short link, there is a custom website that appears to be legitimate but is hosted on the threat actor’s infrastructure. offering a download of the warez software.

This downloads a password-encrypted zip file and, when extracted, creates a zero-padded .exe file size of ~600MB, a technique used to avoid detection by EDRs

We reduced the file size using “dd” command to ~10mb

dd if=Install.exe of=Install-trim.exe bs=1024 count=10240

We then analyzed the malware in AnyRun and we saw a range of tactics used. DLL side-loading, virtualization/sandbox evasion, disable tools and firewalls, drop of tools such as Glupteba, RedLine, Smoke Loader, xmrig and more to steal credentials and to mine cryptocurrency

AliExpress Referral Scam Campaign

Many of the phishing websites in these spam packages contained “free” resources, enticing users to attempt to download them, however clicking on the links to these “free” resources would ultimately redirect to eCommerce websites with referral IDs, for example AliExpress. Like many other retail websites, AliExpress offers a referral program that rewards members for referring new customers to the platform.

If the threat actors refer their victims to AliExpress and they make a purchase, the threat actors’ account will receive a referral reward in the form of a coupon or store credit thus profiting from the referral rewards.

Crypto Scam Campaign

In this case, the attackers invited Russian users to join a Telegram channel specialize in crypto.

Summary

This event brings to the forefront a significant point: to stop the flood, we need to fix the leak at its source. To put it plainly, while dealing with malicious packages is critical, our focus should be equally, if not more, on the attackers. By taking down the source — the malicious user accounts, we stand a better chance of preventing the dissemination of harmful packages in the first place.

That being said, it is important to note that deleting a user account should not be done lightly. This is because legitimate users who may have been using the account for non-malicious purposes could be impacted. For example, a legitimate user account that had fallen victim to an attacker who spread malicious packages through that account for a short period. Additionally, deleting a user account may not be feasible in all cases, as the threat actor could simply create a new account and continue their activities under a different name.

As a community, we should actively share information about these malicious accounts. By doing so, we can improve the collective security of open-source ecosystems, making it harder for these attackers to exploit them.

For further details, inquiries, or access to the original metadata or samples from these phishing campaigns, feel free to contact us at supplychainsecurity@checkmarx.com.

Together, we can ensure a secure future for open-source ecosystems.

Supply Chain Security
Open Sourc
Software Supply Chain
NPM
Pyramid Of Pain

--

--

Yehuda Gelb
checkmarx-security

Written by Yehuda Gelb

73 Followers

Yehuda is a security researcher at Checkmarx and has a passion for making cyberspace a safer place to live and work.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams