Jump to content
Login new information ×
Giveaway Contest ×
Login new information
Giveaway Contest
  • Security & Privacy News

    Malware & Threats Tens of Thousands of Malicious NPM Packages Distribute Self-Replicating Worm

    aum

    By aum,
    Published Date:

    • 308 views
    • 2 minutes
     Share
    • 308 views
    • 2 minutes

    A threat actor has published tens of thousands of malicious NPM packages that contain a self-replicating worm, security researchers warn.

     

    Unlike recent supply chain attacks on NPM, the code used in this campaign does not steal credentials or data, but abuses the ecosystem for spam.

     

    SourceCodeRed, which calls the malware ‘the IndonesianFoods worm’, has identified over 43,900 malicious NPM packages associated with 11 accounts, all named using a scheme involving Indonesian names and foods.

     

    The malicious code was designed to generate random names, modify the package.json files to make the packages public and add random version numbers, and publish the packages to the NPM registry.

     

    According to SourceCodeRed, the code repeats the same steps in an infinite loop, publishing a new package every 7 seconds, constantly spamming the NPM registry.

     

    “This floods the NPM registry with junk packages, wastes infrastructure resources, pollutes search results, and creates supply chain risks if developers accidentally install these malicious packages. The malware disguises itself as a legitimate Next.js application to avoid detection,” SourceCodeRed notes.

     

    The activity was also observed by JFrog, which identified over 80,000 self-replicating packages named using a similar random name generation scheme. In addition to the custom wordlist that includes names and foods, the dictionary also uses adjectives, colors, and animal names.

     

    According to JFrog, which named the campaign Big Red, the malware reuses a victim user’s stored NPM credentials to publish newly generated packages to the registry at a fast pace.

     

    “The result is a tight, fully automated loop that can flood the npm ecosystem with large numbers of superficially legitimate packages, all derived from the same code template and differentiated only by randomized metadata,” JFrog notes.

     

    The 80,000 malicious packages were published across 18 user accounts and contain only the self-replicating publishing logic.

     

    The exact purpose of the campaign remains unclear, but JFrog hypothesizes that it could be “a dry run for a future campaign where the same infrastructure and naming scheme could be reused to deliver real malicious payloads for the campaigns with self-replicated code”. 

     

    Source

     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...