In an continuing attack on the open source ecosystem, over 15,000 spam packages have flooded the npm repository in an attempt to distribute phishing links. These packages were created using automated processes, with project descriptions and auto-generated names that closely resembled one another, according to Yehuda Gelb, a Checkmarx researcher. The attackers referred to retail websites using referral IDs, thus profiting from the referral rewards they earned.
The modus operandi involves poisoning the registry with rogue packages that include links to phishing campaigns in their README.md files, which is similar to a campaign the software supply chain security firm exposed in December 2022. The fake modules masqueraded as cheats and free resources, with some packages named as "free-tiktok-followers," "free-xbox-codes," and "instagram-followers-free."
The ultimate goal of the operation is to entice users into downloading the packages and clicking on the links to the phishing sites with bogus promises of increased followers on social media platforms. These websites are well-designed and, in some cases, even include fake interactive chats that appear to show users receiving the game cheats or followers they were promised. The victims are then urged to fill out surveys, which then pave the way for additional surveys or, alternatively, redirect them to legitimate e-commerce portals like AliExpress.