Software supply chain attacks are a hot topic. We have previously warned about wire fraud scams and that those attacks are on the rise. Developers should be aware of recent massive phishing software attacks that target the security of open-source package repositories. Bleepingcoputer.com informs of one such attack that targeted NPM, PyPi, and NuGet implanting nearly 145k fake libraries. Codenotary Trustcenter and TrueSBOM are the answer.
Hackers conducted an automated attack and uploaded the packages from accounts using a specific naming scheme and featuring similar descriptions. The libraries led to a cluster of 90 domains that hosted over 65,000 phishing pages.
The phishing campaign promotes fake apps, prize-winning surveys, and gift cards and sometimes takes victims to AliExpress via referral links. It was the analysts at Checkmarx and Illustria, who discovered the attack. They worked together to uncover and map the infection.
NuGet had the largest share of malicious package uploads (around 140k), while PyPI had 8k infections. Hackers uploaded the libraries in large quantities within a couple of days, which is a common sign of malicious activity. The URL to the phishing sites was implanted in the package description. The goal was to increase the SEO of the phishing sites through links from repositories.
These sites almost always request visitors to enter their email, username, and account passwords, which is where the phishing step takes place. The fake sites feature an element that resembles the promised free generator. When visitors try to use it, asking for “human verification”, it fails. This initiates a series of re-directions to legitimate e-commerce websites using affiliate links, which is how the threat actors generate revenue from the campaign.
The security researchers who discovered the campaign informed NuGet of the infection. In consequence, all packages have since been delisted. The threat actors used an automated method to upload a large number of libraries in such a short time. They could re-introduce the threat using new accounts and different package names at any time.
This attack isn’t the only one in recent times. TrendMicro notes a 600% increase in the number of attacks. Other reports find even over 700% increase.
It is worth remembering how easy it is to conduct such attacks. as a report on dependency confusion from an independent security software analyst shows. He has successfully exploited the supply chain of multiple companies by uploading malicious code to public code repositories. He uploaded “malicious” Node packages to the npm registry under unclaimed names, which would “phone home” from each computer. The code inside the packages collected basic information about machines and sent it back to the hacker via DNS exfiltration. The hacker targeted several companies, including PayPal, and was able to get bug bounties from some of them.
In conclusion, software developers should be aware of such a hot topic as software supply chain attacks. The risk of phishing attacks through open-source package repositories. They need to take steps to protect themselves and their organizations. This includes being cautious when clicking on links, verifying the authenticity of websites and apps, and using strong, unique passwords for all accounts.
This type of supply chain attack highlights the need to ensure that their internal and external dependencies are secure. You can accomplish this by following the best software security practices outlined in frameworks such as SSDF. You can also gain ongoing visibility into components of your software using tools such as Trustcenter and TrueSBOM.