Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

Research

Exposing Automation of npm Registry Spam

A recently uncovered Python script highlights a spam campaign tactic where malicious actors automate the publishing of spam packages to the npm package registry.

Exposing Automation of npm Registry Spam

Socket Research Team

Philipp Burckhardt

Sarah Gooding

December 12, 2023


A concerning trend has emerged within the software supply chain affecting the npm registry throughout 2023. npm is a critical component of the JavaScript ecosystem, fostering code sharing and collaboration among developers across the globe. Yet, this invaluable resource has become the target of an increasing number of spam campaigns in which threat actors publish numerous spam packages to promote their phishing campaigns.

Packages with names such as 10-ways-to-earn-free-imvu-credits-in-2023, paypal-m-o-n-e-y-generator-f-r-e-e-paypal-m-o-n-e-y-adder-5m, or candy-crush-saga-free-gold-bars-tutorial-2023---014 all scream "It's a trap!" louder than Admiral Ackbar on his most alert day, but their goal is not to fool the experienced software developer.

These spam packages are designed to improve the search engine rankings of the malicious websites linked within the package README files. By flooding package repositories with URLs and certain keywords, the malicious actors increase the visibility and perceived legitimacy of these links in search engines.

Motivations for Spamming the npm Registry#

This bewildering spam campaign doesn't make a lot of sense unless you consider how many sites and services mirror the npm package registry. It is the largest single language code repository in the world by far, with almost 4 million packages (including packages that have been removed) and 252+ million downloads in 2023.

Nearly one million maintainers publish their packages to npm. There are times when a developer unpublishes a package that is a critical dependency for other projects. For example, years ago there was an incident where a developer suddenly pulled all 250+ of his modules from npm and broke thousands of dependent projects. At that time, npm took the unprecedented action of restoring some of these packages to keep dependent projects running as expected. (The policy for restoring unpublished packages has changed since then.)

For this reason and many other others, organizations opt to mirror the npm registry. It allows for npm install commands to work offline, as commonly-installed modules can be cached and served faster than from the remote registry.

When spammers publish their packages to the npm registry, they're looking to get their links out into the wild, as those respective URLs will then appear on many different sites that display information from npm.

There are thousands of public npm registry mirrors run by individuals and organizations for their own purposes, giving spam packages greater impact and placement across many sites and services. A sharp rise in spam packages getting registered on npm contributed to npm instability issues in March 2023, which impacts the integrity and reliability of the open source ecosystem.

The following findings are part of this ongoing trend of hackers creating bogus packages to capitalize on open source repositories' higher ranking in search engines.

Python Script Analysis #

Recently, we've analyzed a Python script that we encountered in one package that was used to conduct this type of spam campaign by publishing dozens of packages to the npm registry. To give a measure for the magnitude, this specific campaign alone was responsible for almost 5,000 packages published to the npm registry.

The script begins by importing necessary modules and libraries, indicating its intention to interact with web services and automate actions.

The script uses a predefined list of directories representing potential package folders. It proceeds to read configurations and content from these directories, including titles and keywords.

The script generates new versions of index.js, package.json, and README.md files for each spam package. It copies templates from a predefined source (C:\Users\mouhcine\Desktop\npmjs\data) and modifies them, replacing specific placeholders with dynamically generated content. The new link is generated based on titles and a random number, aiming to create a unique identifier for each spam package.

Publishing Spam Packages #

The script attempts to publish the generated packages to the npm registry using the npm publish command. It waits for a short period before validating the published package URLs. It then reports successful publications and logs the URLs for potential further exploitation.

WordPress Interaction #

Additionally, the script interacts with WordPress sites, presumably for spam purposes. It logs into WordPress using predefined credentials and populates fields with the generated spam package links, possibly for amplifying the spam campaign's reach as the respective WordPress sites are likely indexed by search engines.

Conclusion#

The analyzed script showcases the modus operandi of threat actors engaged in spamming the npm registry. In total, we identified 31 users that were engaged in this particular spam campaign (e.g., [1], [2], or [3]). The attackers automate the creation and publication of spam packages using various tactics, including file manipulation and dynamic content generation. Increased vigilance and proactive measures are crucial within the software supply chain to mitigate the adverse effects of these spam campaigns.

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a demo

Related posts

Back to all posts
SocketSocket SOC 2 Logo

Product

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc