The Fishmal Package Campaign was Discovered analysts from Checkmarx and Illustria, who jointly worked on the investigation of the incident. According to experts, packages were loaded from accounts using a certain naming scheme, had similar descriptions and led to the same cluster of 90 domains, on which more than 65,000 phishing pages were placed. There were fake applications, polls, promotional codes and much more on the sites. In some cases, there were referral links for aliexpress.
Most of the phishing packages were loaded in Nuget – 136 258, in Pypi – 7,894 packages, and in NPM – only 212.
Statistics of loading malicious packages (Checkmarx)
URL addresses of phishing sites were inserted into the package description so that links were raised in the issuance in the issuance. Descriptions of packages urge users to cross the links in order to get more information about applications, various tools for generating codes, applications, etc.
Description of one of the phishing packages (Checkmarx)
In some cases, attackers advertised fake generators of Steam gift cards, PlayStation Network electronic gift cards, and wrapping subscribers to subscribers on various platforms. But in order to use them, the victim must introduce his e -mail, as well as the login and password from his account on the service/site. So cybercriminals collect victims data in order to sell them on hacker forums.
In addition, attackers also make money on this, redirecting users by referral links to various marketplaces.
IB specialists who discovered this campaign have already been informed by Nuget, Pypi and NPM about infection, so all malicious packages have already been removed from the sites.