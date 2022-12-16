Repositories and open source are the protagonists of this story, born to “do good” in the computer world, they are often used to “do harm”, but first things first.

The NuGet, PyPi and npm ecosystems are the target of a new countryside which led to the release of more than 144,000 malicious packages by unknown authors, the malware in question, by the way, are mostly unknown.

“The packages [immessi in queste piattaforme] were part of a new attack vector, with attackers spamming open source ecosystems with packets containing links to phishing links“, said researchers from Checkmarx and Illustria in a report released on Wednesday.

Of the 144,294 related packages to phishing scams detected among these repositories, 136,258 were posted to NuGet, 7,824 to PyPi, and 212 to npm. The offending libraries have since been canceled or removed.

Further analysis revealed that the entire process was automated and packets were sent in a short amount of time, with the majority of usernames following the “ <1900-2022>” convention.

What’s malicious in these repositories?

The fake packages themselves claimed to provide free hacks, cheats, and resources in an attempt to trick users into downloading them. URLs of rogue phishing pages have been embedded in the package description.

In total, the massive campaign included more than 65,000 Unique URLs on 90 domains.

“Threat authors [informatiche] behind this campaign they probably wanted to improve the search engine optimization (SEO) of their phishing sites by linking them to legitimate websites like NuGet“, said the researchers. “This highlights the need to be cautious when downloading packages and to use only trusted sources“.

Unfortunately it is an increasingly frequent practice to use (at least apparently) legitimate sources, in fact they are often legitimate, a pity that there cannot be strict control of the repositories included also due to the nature of the open source ecosystems themselves.

However, these deceptive and well-designed pages advertised Discord Nitro codes, game hacks, “free money” for Cash App accounts, gift cards, and increased followers on social media platforms like YouTube, TikTok, and Instagram.

The sites typically do not offer the promised rewards, but require users to enter their email addresses and complete surveys, before redirecting them to legitimate e-commerce sites via an affiliate link to generate illicit revenue from referrals.

Infection via malicious NuGet, PyPi, and npm repositories with fabricated packages once again illustrates the evolving methods used by threat actors to attack the software supply chain.

“Automating the process also allowed attackers to create large numbers of user accounts, making it difficult to trace the source of the attack.” the researchers said. “This demonstrates the sophistication and determination of these attackers, willing to invest significant resources to carry out this campaign“.

“I really love open source and I often browse through these repositories, how can I protect myself?”

First, paying attention in this specific case, however, it is not as easy as usual, because paradoxically it targets users who are a little more expert than usual.

Fortunately, there are various platforms and various applications that can help.

If you download a strange file, you can always try Malwarebytes anti-malware on Windows or Android especially, or the site Virus Totalwhich we talked about a while ago.

There is also to say that the links are deceptive transcend operating systems, because data theft can take place via the browser, then Chromium-based browsers are more vulnerable in this regard, to get around the problem and if you fear any repercussions, there are VPNs and temporary mail services.

Having said that, happy surfing and always remember that “the problems are between the chair and the keyboard”.