Researchers Discover an Automated Factory of Malicious npm Packages

Security experts at Checkmarx have issued a warning that hackers have fully automated the creation and delivery of hundreds of malicious packages into the npm ecosystem. According to researchers, the number of malicious libraries linked to this campaign has already surpassed 800.

Last week, analysts at JFrog uncovered a large-scale supply chain attack targeting Azure developers. This malicious campaign included 218 npm packages designed to steal personal information.

Checkmarx now reports that this incident, along with an additional 400 malicious npm packages targeting Azure, Uber, and Airbnb developers (recently identified by Sonatype specialists), are all part of a single, large-scale campaign. This campaign is believed to be orchestrated by an individual or group tracked by experts under the name RED-LILI.

The scale of the campaign suggests that RED-LILI has fully automated the process of creating npm accounts and is focusing on dependency confusion attacks. The attacker remains active and continues to distribute malware.

“Typically, attackers use disposable anonymous npm accounts to launch their attacks. This time, it appears the attacker has fully automated the process of creating new accounts, opening a new account for each package, making it much harder to detect new batches,” Checkmarx reports.

According to the researchers, in just one week, the unknown attacker published around 800 dangerous packages, mostly from unique accounts.

“While the package names were carefully chosen, the usernames publishing them are randomly generated strings, such as 5t7crz72 or d4ugwerp. This is unusual for automated attacks we’ve seen before. Usually, attackers create a single user and launch all attacks from that account. This behavior suggests the attacker has automated the entire process, including registering new users and passing OTP (One Time Password) checks.”

The command-and-control server used by the attacker, rt11[.]ml, is also the address where stolen information is sent. Researchers concluded that the entire operation is managed using the open-source tool Interactsh, written in Go.

Checkmarx set up their own server with an Interactsh client to better understand the attacker’s methods. They then wrote a script that automatically creates npm accounts using SeleniumLibrary. The script can randomly generate usernames and email addresses, automatically initiating the registration process. To bypass npm’s OTP verification, Interactsh automatically retrieves the one-time password and submits it back into the registration form, allowing the account to be created successfully.

“It’s worth noting that after a user account is created, it can be configured so that publishing a package does not require a one-time password,” the experts explain. “This can be done using an authentication token and settings that allow operation without 2FA.”