Checkmarx experts warn that hackers have created a “factory”, i.e. fully automated the creation and delivery of hundreds of malicious packages to the npm ecosystem. Researchers believe that the number of malicious libraries associated with this campaign already exceeds 800.Let me remind you that last week, JFrog analysts discovered a large-scale attack on the supply chain aimed at Azure developers. The malicious campaign included 218 malicious npm packages that were designed to steal personal information.
As Checkmarx now reports, this incident, along with 400 other malicious npm packages targeting Azure, Uber and Airbnb developers recently spotted by Sonatype, are all part of a massive campaign behind a person or group tracked by experts under the name RED- LILI.
It is emphasized that, judging by the scope of the campaign, RED-LILI has completely automated the process of creating npm accounts and clearly relies on dependency confusion attacks. The attacker is still active and continues to distribute malware.
According to researchers, in just a week, an unknown person published about 800 dangerous packages (mostly on behalf of unique accounts).
The command-and-control server used by the unknown to control the attack, rt11[.]ml, is also the address to which the stolen information is sent. At the same time, the researchers came to the conclusion that all this works under the control of the open source tool Interactsh, written in the Go language.
Checkmarx has created its own server with the Interactsh client to better understand how the attacker works. Then a script was written that automatically creates npm accounts using SeleniumLibrary. The script can randomly generate usernames and email addresses, automatically initiating the registration process. To bypass the OTP verification used by npm, Interactsh automatically extracts the OTP and submits it back to the signup form, allowing the account creation to complete successfully.
Let me remind you that we wrote that Developers of top 100 npm packages are required to use 2FA, and also that GitHub specialists talked about vulnerabilities in npm.
User Review( votes)