Checkmarx and Illustria researchers found multiple malware in three major open source repositories According to it was informed this week.
Of the total 144.294 packages detected, 136.258 were found on NuGet, 7.824 on PyPi, and 212 on npm. They are all part of a new type of attack consisting of including links to spam sites in the description of packages. While PyPi and npm have removed the packages, NuGET has only made them unsearchable, but they are still available for download from their website.
Where they detect multiple malware
We are talking about three package managers. NuGet is the package manager for the .NET platform, PyPi is a Python application repository, and npm works for Javascript application distribution..
The researchers were able to discover that an automated process was used to upload the packages concluding because the usernames followed the pattern <1900-2022>. The entire process was also done in a short amount of time. In addition to the speed and extension of the attack, automation makes it difficult to find the source.
Another thing in common is that the malicious packages promised access to free tips and resources and performance improvements on social networks. To achieve this, they invited to go to web pages whose url was included in the description. These websites were actually used for phishing practices. The investigation detected 65,000 unique URLs grouped into 90 domains.
The specialists do not believe that the final objective was the users of the three platforms. Apparently what they were looking for was to improve the search engine ranking of phishing sites, which they would achieve from their association of well-positioned sites such as NuGET, PyPi and npm..
The second part of the scam
When the user, attracted by the offer, could see fake interactive chats where other non-existent users received the promised benefits. If a real user decided to go ahead, the process was simulated to generate the promised result, but at some point a failure occurred and the user was prompted to complete the verification manually. This included moving between various sites answering questions to finally land on legitimate e-commerce portals.
Let's explain this a little better. The browser to save time usually autocompletes with a link that you already used. If I trick you into clicking an Amazon link with my referral ID, when you go to Amazon the browser will probably autocomplete with my ID, so I'll get a percentage of every purchase you make.