Threat Research

Who Broke NPM?: Malicious Packages Flood Leading to Denial of Service

Securonix

Malicious campaigns targeting open-source npm ecosystems trigger a flood of spam, SEO poisoning, and malware infections, leading to npm instability and service outages. The operations span malware drops, referral scams tied to AliExpress, and crypto scams, underpinned by a broad set of IOCs and open-source supply-chain abuse. #Glupteba #RedLine #SmokeLoader #xmrig #AliExpress #NPM #OpenSourceEcosystems

Keypoints

  • Malicious campaigns target open-source ecosystems by publishing empty packages that link to malicious sites, leveraging search engines’ trust.
  • Campaigns described include malware infection, AliExpress referral scams, and crypto scams aimed at Telegram users in Russia.
  • DoS effects from automated scripts caused NPM to become unstable with Service Unavailable errors.
  • The year saw a surge in package versions released on NPM (over 1.4 million in a month vs ~800k typically).
  • IOCs cited include domain names, IP addresses, and URLs used by the campaigns.
  • Malware droppers (e.g., Glupteba, RedLine, Smoke Loader, xmrig) and techniques like DLL side-loading and sandbox evasion were observed.
  • Recommendations emphasize strengthened supply-chain security and anti-bot measures in user/package creation flows.

MITRE Techniques

  • [T1195] Supply Chain – Open-source ecosystem abuse to propagate campaigns and links through npm packages. ‘Malicious campaigns targeting open-source ecosystems are causing a flood of spam, SEO poisoning, and malware infection.’
  • [T1189] Drive-by Compromise – SEO poisoning via malicious websites and empty packages linked to them, leveraging ecosystem reputations. ‘In this attack method, cybercriminals create malicious websites and publish empty packages with links to those malicious websites, taking advantage of open-source ecosystems’ good reputation on search engines.’
  • [T1499] Endpoint Denial of Service – DoS effect from automated scripts causing NPM instability. ‘The unstoppable load created by those automated scripts made NPM unstable with sporadic “Service Unavailable” errors.’
  • [T1562.001] Impair Defenses – Disable or modify tools and firewalls as part of infection/drop sequence. ‘disable tools and firewalls’ quoted in context.
  • [T1574.002] DLL Side-Loading – Use of DLL side-loading as an infection technique. ‘DLL side-loading, virtualization/sandbox evasion, disable tools and firewalls…’
  • [T1496] Resource Hijacking – Crypto mining and credential theft using dropped tools. ‘to steal credentials and to mine cryptocurrency.’
  • [T1003] Credential Dumping – Credential theft implied by dropping tools to steal credentials. ‘to steal credentials’ mentioned in the same context as other tools.

Indicators of Compromise

  • [Domain] context – beelowers[.]com, sun6–22[.]userapi.com, and other malicious domains
  • [IP] context – 208.67.104.60, 163.123.143.4 (and related hosts)
  • [URL] context – hxxp://208.67.104.60/api/tracemap.php, hxxp://45.12.253.72/default/puk.php
  • [File] context – brazilx86.exe, Service_.vmp, Service.vmp

Read more: https://medium.com/checkmarx-security/who-broke-npm-malicious-packages-flood-leading-to-denial-of-service-77ac707ddbf1