Researchers discovered a "factory" of malicious npm packages

Checkmarx experts warn that hackers have created a “factory”, i.e. fully automated the creation and delivery of hundreds of malicious packages to the npm ecosystem. Researchers believe that the number of malicious libraries associated with this campaign already exceeds 800.

Let me remind you that last week, JFrog analysts discovered a large-scale attack on the supply chain aimed at Azure developers. The malicious campaign included 218 malicious npm packages that were designed to steal personal information.

As Checkmarx now reports, this incident, along with 400 other malicious npm packages targeting Azure, Uber and Airbnb developers recently spotted by Sonatype, are all part of a massive campaign behind a person or group tracked by experts under the name RED- LILI.

It is emphasized that, judging by the scope of the campaign, RED-LILI has completely automated the process of creating npm accounts and clearly relies on dependency confusion attacks. The attacker is still active and continues to distribute malware.

Typically, attackers use disposable anonymous npm accounts from which they launch their attacks. Apparently, this time the attacker completely automated the process of creating new accounts and opened new accounts for each individual package, and it became much more difficult to detect new batches.Checkmarx writes.

According to researchers, in just a week, an unknown person published about 800 dangerous packages (mostly on behalf of unique accounts).

Although the names of the packages have been carefully chosen, the names of the users who publish them are randomly generated strings such as 5t7crz72 or d4ugwerp. This is unusual for automated attacks that we have seen. Typically, attackers create one user and carry out all attacks on behalf of this account. Based on this behavior, we can conclude that the attacker built the automation process from start to finish, including registering new users and passing OTP (One Time Password) checks.

The command-and-control server used by the unknown to control the attack, rt11[.]ml, is also the address to which the stolen information is sent. At the same time, the researchers came to the conclusion that all this works under the control of the open source tool Interactsh, written in the Go language.

Checkmarx has created its own server with the Interactsh client to better understand how the attacker works. Then a script was written that automatically creates npm accounts using SeleniumLibrary. The script can randomly generate usernames and email addresses, automatically initiating the registration process. To bypass the OTP verification used by npm, Interactsh automatically extracts the OTP and submits it back to the signup form, allowing the account creation to complete successfully.

It is worth noting that once a user account has been created, it can be configured so that a one-time password is not required to publish a package. To do this, you can use an authentication token and settings for working without 2FA.the experts explain.

Let me remind you that we wrote that Developers of top 100 npm packages are required to use 2FA, and also that GitHub specialists talked about vulnerabilities in npm.

Sending