Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort.
“The packages were systematically published over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two years,” Endor Labs researchers Cris Staicu and Kiran Raj said in a Tuesday report.
The coordinated campaign has so far published as many as 46,484 packages, according to SourceCodeRED security researcher Paul McCarty, who first flagged the activity. The end goal is quite unusual – It’s designed to inundate the npm registry with random packages rather than focusing on data theft or other malicious behaviors.
The worm-life propagation mechanism and the use of a distinctive naming scheme that relies on Indonesian names and food terms for the newly created packages have lent it the moniker IndonesianFoods. The bogus packages masquerade as Next.js projects.
“What makes this threat particularly concerning is that the attackers took the time to craft an NPM worm, rather than a singular attack,” McCarty said. “Even worse, these threat actors have been staging this for over two years.”
Some signs that point to a sustained, coordinated effort include the consistent naming patterns and the fact that the packages are published from a small network of over a dozen npm accounts.
The worm is located within a single JavaScript file (e.g., “auto.js” or “publishScript.js”) in each package, staying dormant until a user manually runs the script using a command like “node auto.js.” In other words, it does not execute automatically during installation or as part of a “postinstall” hook.
It’s not clear why someone would go to the extent of running JavaScript manually, but the existence of over 43,000 packages suggests either multiple victims executed the script – either by accident or out of curiosity – or the attackers ran it themselves to flood the registry, Henrik Plate, head of security research at Endor Labs, told The Hacker News.
“We haven’t found evidence of a coordinated social engineering campaign, but the code was written with social engineering potential, possible victim scenarios include: fake blog posts, tutorials, or README entries instructing users to run ‘node auto.js’ to ‘complete setup’ or ‘fix a build issue,’ [and] CI/CD pipeline build scripts with wildcards something like node *.js that execute all JavaScript files,” Raj added.
“The payload’s dormant design is intended to evade automated detection, by requiring manual execution instead of ‘autorun,’ the attackers reduce the chance of being flagged by security scanners and sandboxing systems.”
The manual execution causes the script to initiate a series of actions in an infinite loop, including removing <“private”: true> from the “package.json” file. This setting is typically used to prevent accidental publication of…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
