As-yet unidentified threat actors recently uploaded an incredible 144,294 phishing-related packages into popular open-source package repositories—including NuGet, NPM, and PyPi, to name a few. This massive attack appears to have been automated, as malicious packages were uploaded from many accounts using similar descriptions and a particular naming scheme. Tracing the packages’ phishing web page hosting all led back to the same 90 domains in a cluster, hosting a total of more than 65,000 phishing pages. The malicious pages promote surveys with prizes for participants, fake applications, giveaways, gift cards, and other tempting bait.

Large Scale

Analysts at Checkmarx and Illustria worked together to uncover and map the infection. NuGet was victim to the greatest portion of the malicious package uploads at 136,258, while PyPI was infected by only 7,894 malicious packages, and NPM trailed with only 212.

All the uploads occurred within a few days—a common indicator of malicious activity.

Chart of the malicious package uploads (Checkmarx)

The packages all included URLs for the phishing sites, and it seems the goal was to improve the search engine optimization (SEO) scoring of the attacker’s malicious sites. Package descriptions also urged users to click through the links for more information about promised gift card codes, hacking tools, apps, and more.

Malicious package description (Checkmarx)

Some variety was introduced with the promotion of fake Steam gift card generators, Google Play Store credits, Instagram follower generators, YouTube subscriber generators, and Play Station Network e-gift card codes. Such sites typically require visitors to enter their email addresses and/or usernames as well as account passwords—and that’s where data is captured by the attackers.

Sample of the malicious websites (Checkmarx)

Once victims “access” the fake sites they are provided with such things as promised generators and gift card codes, yet none of them work. If victims try to troubleshoot, following directions on many of the sites, they are passed through a series of redirections and eventually are handed off to legitimate e-commerce websites using affiliate links—which is yet another way for the threat actors to generate revenue from this campaign besides monetization of the stolen credentials.

Referral ID on final destination of the victim in the campaign (Checkmarx)

Future Issues

Considering the automated method employed for this attack, it is likely to be repeated unless repository owners are able to swiftly enhance security measures to identify malicious uploads—which is a tall order considering the variety of content that can typically be uploaded. In this case, the complete list of the URLs used in the campaign can be found on GitHub.

Your security program may be at risk of falling prey to such attacks as were described in this article; supplement your security team using the experts at Webcheck Security, which maintains a team of highly experienced vCISOs (virtual Chief Information Security Officers) and penetration testers. Contact us today to schedule a free discussion of your organization’s needs!