Over 15,000 spam packages created using automated processes with project descriptions and auto-generated names that resemble one another were found in the NPM repository. These packages contain phishing links that refer to retail websites using referral IDs, making the attackers profit from referral rewards.

The packages were discovered by Checkmarkx researcher Yehuda Gelb who reports that they appear to have been uploaded to NPM from multiple user accounts within a few hours between February 20 and 21, 2023. The entire process was handled by a Python script that automates the whole process. Overall, Checkmarx analysed over 190 unique URLs, which they were able to reduce to 31 domains.

So I've been noticing a spam attack on @npmjs. Tens of thousands of packages have been flooding the registry and occupying the front page. pic.twitter.com/T209xwOTAo
— Jesse Mitchell (@TotalCoder) February 21, 2023

The script further appends links to these fake packages on multiple Wordpress websites operated by the attacker that claim to offer Family Island cheats. As for the packages themselves, they impersonate cheat and other free resources claiming to offer free TikTok or Instagram followers or Xbox codes.

The end goal here is to get unsuspecting users to download these packages and eventually click the referral links under the fake promise of increasing their social media followers or getting free game codes. According to Gelb, the fake pages are rather well-designed and in some cases even show fake interactive chats giving users game cheats, codes or social media followers as promised.

These websites also include built-in fake flow that pretends to process data and generate the promised rewards. The process, however, is designed to fail and asks for human verification asking users to fill out surveys. These surveys either lead to more surveys or redirect them to e-commerce portals like AliExpress whose referral program was exploited in the attack.

This is an image of npm fake websites — *The fake websites lead to surveys under the guise of human verification. | Source: Checkmarx*

Overall, the use of automation and referral combined allowed the attacker to quickly deploy the attack at a large scale making it difficult for security teams to identify and remove the packages in time.

This isn’t the first time such an attack has happened either, with Checkmarx and Illustria revealing a similar attack in December 2022 which involved over 144,000 spam packages being published to NuGet, NPM, and PyPi by the same threat actors.

In the News: Sensitive US military emails leak online