A malicious campaign was caught heavily loading spam packages in NPM, which resulted in a denial-of-services (DoS) and caused the registry service to be sporadically unavailable.
In the recent wave of attacks, threat actors create malicious websites and publish an exceptionally large volume of empty packages with links to those sites, taking advantage of the good reputation of open-source ecosystems to lure users, according to a Checkmarx blog post on April 4.
The heavy load generated by automated scripts overwhelmed the NPM registry and made it unstable with sporadic "Service Unavailable" errors.
"It was especially concerning that this attack affected the stability of NPM, particularly, because NPM is a critical component for modern software developers," Tzachi Zornstain, head of CxDustico at Checkmarx, told SC Media.
"We suspect that the attacker does not intend to damage the stability of NPM. However, it was a side effect of this massive attack."
It is not uncommon for spam campaigns to target open-source repositories, but Jossef Harush Kadouri, head of software supply chain security at Checkmarx, said the onslaught of attacks over the past month is "by far the worst one" he has seen.
While typically there are 700,000 to 800,000 packages published on NPM every month, the number of releases went up to 1.4 million last month due to the significant increase in spam campaigns.
"Since the open-source ecosystems are highly reputed on search engines, any new open-source packages and their descriptions inherit this good reputation have become well-indexed on search engines, making them more visible to unsuspecting users," Kadouri wrote the blog post.
"Apparently, attackers found the unvetted open-source ecosystems as an easy target to perform SEO poisoning for various malicious campaigns. As long as the name is untaken, they can publish an unlimited number of packages."
Even more concerning, researchers found that the malware the threat actors delivered is highly obfuscated, evasive, and anti-debug. The packages' description was linked to the download of a malicious password-encrypted zip file containing a 600mb zero-padded .exe file. This tactic makes it difficult for EDR systems to detect malicious activities, Kadouri noted.
Upon further investigation, researchers observed a wide range of other techniques employed by the threat actors, including DLL side-loading and virtualization/sandbox evasion to steal credentials and mine cryptocurrency. The researchers also observed attackers disabling tools and firewalls, as well as dropping tools such as Glupteba, RedLine, Smoke Loader and xmrig.
In response to the incident, the NPM team implemented an anti-bot mechanism to raise the bar against automated account creation used in similar attacks.
For developers, Zornstain said they should always save a local copy of packages used, and recommended they check out OpenSSF Secure Supply Chain Consumption Framework (S2C2F) to learn more about safely consuming open-source packages.
Threats within the open-source ecosystem continue to evolve as attackers constantly shift their tactics to disrupt software supply chains. In February, Checkmarx researchers observed a similar attack (NPM repository flooded with 15,000 phishing packages) which they suspect was made by the same threat actor.