Threat Research

How NPM Packages Were Used to Spread Phishing Links

Securonix

Checkmarx researchers uncovered a mass-spam campaign in the NPM ecosystem where automated processes published thousands of malicious packages that link to phishing campaigns. The operation involved automated package creation, masquerading as legitimate entries, credential usage, and even posting on WordPress-like sites to broaden reach, with redirects to sites such as AliExpress and a dataset hosted on GitHub Gist. #Checkmarx #NPM #AliExpress #GitHubGist #Python #Selenium #WordPress

Keypoints

  • Over 15,000 NPM packages were created and published in a short time through automated processes.
  • The packages used auto-generated names and descriptions that resembled legitimate ones to mislead users.
  • Package READMEs contained links to phishing campaigns, spreading the lure across the ecosystem.
  • Phishing pages used multiple domains with well-designed pages and fake interactive chats to entice victims.
  • Some phishing flows redirected to AliExpress with referral rewards earned by the attackers.
  • Python scripts embedded in the attack flow defined configuration, generated content, and published packages via npm publish, sometimes including credentials.
  • The attackers used Selenium to post package links on WordPress-like sites, authenticating as editors to proceed.

MITRE Techniques

  • [T1195] Supply Chain Compromise – Used automated publication of malicious NPM packages to poison the ecosystem. “A sudden surge of thousands of SPAM packages were uploaded to the NPM open-source ecosystem from multiple user accounts within hours.”
  • [T1566.002] Phishing: Spearphishing Link – Readme files contained links leading to phishing campaigns. “the packages were part of a trending new attack vector, with attackers spamming the open-source ecosystem with packages containing links to phishing campaigns in their README.md files.”
  • [T1036] Masquerading – Auto-generated names and descriptions closely resembled legitimate ones. “with project descriptions and auto-generated names that closely resembled one another.”
  • [T1059.006] Python – Python scripts automate content generation and package publication. “The flow of the Python script are as follows:” and “Uploads the new package to NPM using the npm publish command.”
  • [T1078] Valid Accounts – Used credentials to authenticate as editors during automated posting. “First, they need to authenticate as an editor” and “credentials used by the attacker in the attack flow.”
  • [T1583] Acquire Infrastructure – Created or gained access to multiple news-like websites to publish content. “the attacker created or at least has access to several news-like websites in which they can publish content.”

Indicators of Compromise

  • [Domain] Context – Phishing infrastructure domains – betapps.club, stumblegems.site, and 29 more domains
  • [URL] Context – Phishing campaign sources and redirects – https://gist.github.com/masteryoda101/a3f3500648f7e6da7bf89b3fb210e839, https://www.aliexpress.com

Read more: https://checkmarx.com/blog/how-npm-packages-were-used-to-spread-phishing-links/