Research
Socket Research Team
Philipp Burckhardt
Sarah Gooding
December 12, 2023
A concerning trend has emerged within the software supply chain affecting the npm registry throughout 2023. npm is a critical component of the JavaScript ecosystem, fostering code sharing and collaboration among developers across the globe. Yet, this invaluable resource has become the target of an increasing number of spam campaigns in which threat actors publish numerous spam packages to promote their phishing campaigns.
Packages with names such as 10-ways-to-earn-free-imvu-credits-in-2023, paypal-m-o-n-e-y-generator-f-r-e-e-paypal-m-o-n-e-y-adder-5m, or candy-crush-saga-free-gold-bars-tutorial-2023---014 all scream "It's a trap!" louder than Admiral Ackbar on his most alert day, but their goal is not to fool the experienced software developer.
These spam packages are designed to improve the search engine rankings of the malicious websites linked within the package README files. By flooding package repositories with URLs and certain keywords, the malicious actors increase the visibility and perceived legitimacy of these links in search engines.
This bewildering spam campaign doesn't make a lot of sense unless you consider how many sites and services mirror the npm package registry. It is the largest single language code repository in the world by far, with almost 4 million packages (including packages that have been removed) and 252+ million downloads in 2023.
Nearly one million maintainers publish their packages to npm. There are times when a developer unpublishes a package that is a critical dependency for other projects. For example, years ago there was an incident where a developer suddenly pulled all 250+ of his modules from npm and broke thousands of dependent projects. At that time, npm took the unprecedented action of restoring some of these packages to keep dependent projects running as expected. (The policy for restoring unpublished packages has changed since then.)
For this reason and many other others, organizations opt to mirror the npm registry. It allows for npm install commands to work offline, as commonly-installed modules can be cached and served faster than from the remote registry.
When spammers publish their packages to the npm registry, they're looking to get their links out into the wild, as those respective URLs will then appear on many different sites that display information from npm.
There are thousands of public npm registry mirrors run by individuals and organizations for their own purposes, giving spam packages greater impact and placement across many sites and services. A sharp rise in spam packages getting registered on npm contributed to npm instability issues in March 2023, which impacts the integrity and reliability of the open source ecosystem.
The following findings are part of this ongoing trend of hackers creating bogus packages to capitalize on open source repositories' higher ranking in search engines.
Recently, we've analyzed a Python script that we encountered in one package that was used to conduct this type of spam campaign by publishing dozens of packages to the npm registry. To give a measure for the magnitude, this specific campaign alone was responsible for almost 5,000 packages published to the npm registry.
The script begins by importing necessary modules and libraries, indicating its intention to interact with web services and automate actions.
The script uses a predefined list of directories representing potential package folders. It proceeds to read configurations and content from these directories, including titles and keywords.
The script generates new versions of index.js, package.json, and README.md files for each spam package. It copies templates from a predefined source (C:\Users\mouhcine\Desktop\npmjs\data) and modifies them, replacing specific placeholders with dynamically generated content. The new link is generated based on titles and a random number, aiming to create a unique identifier for each spam package.
The script attempts to publish the generated packages to the npm registry using the npm publish command. It waits for a short period before validating the published package URLs. It then reports successful publications and logs the URLs for potential further exploitation.
Additionally, the script interacts with WordPress sites, presumably for spam purposes. It logs into WordPress using predefined credentials and populates fields with the generated spam package links, possibly for amplifying the spam campaign's reach as the respective WordPress sites are likely indexed by search engines.
The analyzed script showcases the modus operandi of threat actors engaged in spamming the npm registry. In total, we identified 31 users that were engaged in this particular spam campaign (e.g., [1], [2], or [3]). The attackers automate the creation and publication of spam packages using various tactics, including file manipulation and dynamic content generation. Increased vigilance and proactive measures are crucial within the software supply chain to mitigate the adverse effects of these spam campaigns.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Security News
NIST's new AI Risk Management Framework aims to enhance the security and reliability of generative AI systems and address the unique challenges of malicious AI exploits.
Security News
This episode of the Risky Biz podcast discusses how the rise of small open source packages and the shift towards individual maintainers makes the ecosystem more vulnerable to supply chain attacks.
Product
Streamline your login process and enhance security by enabling Single Sign-On (SSO) on the Socket platform, now available for all customers on the Enterprise plan, supporting 20+ identity providers.
