Threat Research

How 140k NuGet, NPM, and PyPi Packages Were Used to Spread Phishing Links

Securonix

Checkmarx and Illustria uncovered a large-scale phishing operation that polluted NuGet, NPM, and PyPi with automated packages containing links to phishing campaigns. The effort involved tens of thousands of package names, phishing sites, and referral rewards, targeting open-source ecosystems. #NuGet #NPM #PyPI #phishing #AliExpress #Checkmarx #Illustria

Keypoints

  • 144,294 phishing-related packages were detected across NuGet (136,258), NPM (212), and PyPi (7,824), all created by the same threat actor.
  • Automation was used to publish packages and generate user accounts, and NuGet unlisted many of the packages to protect users.
  • Package descriptions contained links to phishing campaigns, with names designed around hacking/cheats to lure downloads and clicks.
  • Phishing activity leveraged a large network of domains and URLs—over 65,000 unique URLs on about 90 domains—redirecting users to phishing sites.
  • Phishing pages employed fake interactive chats and multi-step human verification flows that sometimes steered users to legitimate e‑commerce sites.
  • Some phishing sites redirected to AliExpress, enabling threat actors to earn referral rewards through purchases.
  • Checkmarx and Illustria stress collaboration to defend the ecosystem, with data and datasets available for further research.

MITRE Techniques

  • [T1566.002] Spearphishing Link – The package descriptions contained links to phishing sites. ‘The descriptions for these packages contained links to phishing sites.’
  • [T1136] Create Account – Automated processes were used to create over 135,000 packages in NuGet and related user accounts. ‘In this situation, it seems that automated processes were used to create over 135,000 packages in NuGet and related user accounts.’
  • [T1583] Acquire Infrastructure – Phishing sites hosted on multiple domains; the campaign linked to over 65,000 unique URLs on 90 domains. ‘The phishing campaign linked to over 65,000 unique URLs on 90 domains.’
  • [T1195] Supply Chain Compromise – Attackers automated mass package publication to poison NuGet, PyPi, and NPM ecosystems with 144,294 packages. ‘These attackers invested in automation in order to poison the entire NuGet, PyPi, and NPM ecosystem with 144,294 packages.’

Indicators of Compromise

  • [Domain] tinybit[.]cc – Phishing domain used in the campaign to host or redirect phishing pages.
  • [Domain] gamecoins[.]codes – Phishing domain used in the campaign to host or redirect phishing pages.
  • [Domain] gamecodeclaim[.]com – Phishing domain used in the campaign to host or redirect phishing pages.
  • [URL] 65,000+ unique URLs – The phishing campaign linked to a large number of URLs across about 90 domains.
  • [Domain] aliexpress.com – Redirect target observed in referral-reward flows related to the phishing effort.

Read more: https://checkmarx.com/blog/how-140k-nuget-npm-and-pypi-packages-were-used-to-spread-phishing-links/