recorded an attack on users of the NPM catalog, as a result of which 20 On February, the NPM repository posted more than 15 thousand packets, in the Readme-fials of which there were references to the figures Transitions for which deductions are paid. During the analysis, the packages revealed 190 unique phishing or advertising links, covering 31 domains. Interest of the townsfolk, grinder, Free-Tiktok-Followers “Free-XBox-Codes”, “Instagram-Followers-Free”, etc. The calculation was made on filling with spam packages of the list of recent updates on the main page of the NPM. The description of the packages gave links that promised free distributions, gifts, game cheats, as well as free services for winding subscribers and likes on social networks, such as Tiktok and Instagram. This is not the first such attack, in December in Nuget, NPM and Pypi catalogs was
The contents of the packages were generated automatically using the Python script, which was apparently left in packages and included the working accounts used during the attack. The packages were published under many different accounts using methods that complicate the unraveling of traces and the operational identification of problem packages.
In addition to fraudulent actions in the NPM and PYPI repositories, several attempts to publish malicious packages were also revealed:
- In the repository of pypi found 451 malicious package that was masked некоторые популярные библиотеки при помощи тайпсквотинга (назначение похожих имён, отличающихся отдельными символами, например, vper вместо vyper, bitcoinnlib вместо bitcoinlib, ccryptofeed вместо cryptofeed, ccxtt вместо ccxt, cryptocommpare вместо cryptocompare, seleium вместо selenium, pinstaller вместо pyinstaller и т.п.) . The packages included a focused code for the theft of cryptocurrency, which determined the availability of cryptocurrency identifiers in the exchange buffer and changed them to the attacker’s wallet (it is assumed that when making payment the victim would not notice that the wallet number transferred through the exchange buffer is different). The replacement was carried out by the add-on, which was built into the browser, which was performed in the context of each web page viewed.
- In the repository of pypi identified