NPM overwhelmed by DDoS attacks in malware campaigns

Threat actors continue to poison the NPM repository for open-source JavaScript code with malware aimed at unwary application developers.

But the most recent campaigns were so severe, they caused a distributed denial of service attack that periodically blocked access to the site.

Researchers at Checkmarx say a hacker — or hackers — recently created a series of operations against NPM, including a malware infection campaign, a referral scam campaign linked to the online shopping site AliExpress, and a crypto scam campaign targeting Russian users on Telegram.

The threat actors are creating malicious websites hosting so-called tools available on NPM. These sites can be ranked high by search engines because they trust the reputation of open-source repositories. What the attackers actually put in the NPM repository is a readme file that links to the bad website. Unsuspecting developers who click on the link and download the promised code are instead infected with malware from a password-encrypted zip file.

(An example of a malicious package found on a search engine. Source: Checkmarx)

Depending on the campaign, that file can lead to a number of actions, including DLL side-loading, virtualization/sandbox evasion, the ability to disable tools and firewalls, the dropping of tools such as Glupteba, RedLine, Smoke Loader, xmrig and more to steal credentials and to mine cryptocurrency.

Related content: Malicious modules found in NPM

“We mapped several campaigns,” said Checkmarx, “and we believe they are all likely operated by the same threat actor, although we can’t confirm that at this time. It’s possible that there are several threat actors, each operating a campaign individually.”

“We’ve seen spam campaigns in the open-source ecosystems in the past year, but this month was by far the worst one we’ve seen yet,” say the researchers.

“Apparently, attackers found the unvetted open-source ecosystems as an easy target to perform SEO poisoning for various malicious campaigns. As long as the name is untaken, they can publish an unlimited number of packages.

“Typically, the number of package versions released on NPM is approximately 800,000. However, in the previous month, the figure exceeded 1.4 million due to the high volume of spam campaigns.”

NPM should apply anti-bot techniques specifically in the flow of user creation, says the report, which might help prevent such automated campaigns.

Related content: A scanner for developers

In addition, anyone downloading code from an open-source repository such as NPM, PyPI, GitHub, and others has to be careful about downloading and installing anything. That includes checking the reputation of the developer or the code with colleagues or a security provider, being wary of packages that might have almost identical names to the module you’re looking for (known as typosquatting), and scanning code for vulnerabilities.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.