Thousands of fake packages flood npm registry in major attack - here's what we know

News
By published

Campaign could be in preparation for a major malicious attack

Cyber security Cloud computing blue abstract digital binary code background. Innovative technology and Artificial intelligence concept. New futuristic system technology symbol. Vector illustration.
(Image credit: Shutterstock / MiniStocker)
  • Over 43,000 dormant spam packages flooded npm in a coordinated two-year campaign
  • Some packages contained worm-like scripts that auto-generated and published new entries
  • Attackers may have faked TEA impact scores to earn decentralized developer rewards

Roughly 1% of the entire npm ecosystem now consists of bogus, dormant packages that were uploaded as part of a years-long targeted - and potentially malicious - campaign, experts have claimed.

Cybersecurity researchers Endor Labs discovered more than 43,000 spam packages which took almost two years to upload in a coordinated effort that took at least 11 distinct user accounts to pull off.

“The packages were systematically published over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two years," the researchers said.

TEA token harvesting?

The researchers dubbed the campaign IndonesianFoods because of the way the packages are named. The malicious script used for naming contains two internal dictionaries, one with Indonesian names, and other with Indonesian food terms. When the script runs, it selects two terms at random, adds a number, and appends a suffix.

The strange part is that the packages themselves are not malicious. They’re not designed to steal sensitive developer data, or to act as a backdoor. Instead, they just lie there, dormant, gathering downloads.

Some packages have thousands of weekly downloads, the researchers explain, hinting that it gives the attacker a potential edge: “This leaves an opportunity for the attackers to push a malicious commit in the future that would affect all those downloads.”

Some of the packages did contain a worm-like script which, if run, would generate and create additional scripts which would then be added to npm.

Besides malicious potential, the researchers also believe this could be a part of a financially motivated campaign. Apparently, some of the packages included tea.yaml files, listing TEA accounts. Tea is a decentralized framework protocol in which open source devs are rewarded when contributing software.

This could mean that the attackers tried to fake their impact scores, thus earning more TEA tokens.

Via The Hacker News

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.