The battle against threat actors targeting the open-source ecosystem continues, with researchers observing a sudden surge of over 15,000 phishing packages flooding NPM, the world’s largest free software registry.
The malicious packages were created using an automated process to distribute links to phishing campaigns across a few hours between Feb. 20 and 21. It was carried out through multiple user accounts, making it difficult for security teams to identify and remove packages quickly, Checkmarx researcher Yehuda Gelb noted in a Tuesday blog post.
A large number of corrupted packages use names related to game cheats, free resources, and social media platforms, such as “free-tiktok-followers” and “free-xbox-codes,” to entice users to click the links and direct them to multiple well-designed phishing webpages.
Upon further investigation of the phishing websites, the Checkmarx team found some directed users to eCommerce sites with referral IDS, including AliExpress, one of the world’s largest online retail platforms.
“Like many other retail websites, AliExpress offers a referral program that rewards members for referring new customers to the platform. If the threat actors refer their victims to AliExpress and they make a purchase, the threat actors’ accounts will receive a referral reward in the form of a coupon or store credit,” Geib explained. “This highlights the potential financial gain for threat actors who engage in phishing campaigns like this one.”
In this case, while the consequences of the attacks may not appear as severe as some other open source vulnerabilities, Geib told SC Media that this