GitHub, the largest open-source software repository, has
unveiled two new updates to assist developers, maintainers, and security researchers in safeguarding the integrity of open-source projects.
These updates aim to strengthen the security of software supply chains by introducing private vulnerability reporting and npm package provenance.
Abuse of npm packages
Cybercriminals have been flooding the npm open-source package repository for Node[.]js with blank malicious packages. These bogus packages are generated via automated scripts, and the sheer volume of their traffic load resulted in a DoS attack for a brief period, resulting in a Service Unavailable error.
Why it matters
Cybercriminals often take advantage of open-source ecosystems' reputation on search engines to carry out malicious attacks such as malware infection, SEO poisoning, and sending a large number of spam emails.
- Recently, they created malicious websites and upload numerous empty npm modules, along with links to these malicious websites - all via automated scripts.
- It happened in such a large numbers that npm experienced stability issues at irregular intervals.
Researchers suspect that although multiple actors are invovled in these attacks, they all work for a set of common goals.
What's that?
The aim is to lure victims to the fake websites and urge them to download the warez software that eventually drops SmokeLoader, RedLine, Glupteba, and cryptominers. - The attack, further, involves links that take the users to intermediate pages and lead to genuine e-commerce sites such as AliExpress with referral IDs, earning profit whenever a victim makes a purchase on the platform.
- Further, the links were inviting Russian users to join a Telegram channel specializing in cryptocurrency.
Conclusion
Cybercriminals often abuse open source repos such as npm with fake packages and poisoning the npm software supply chain ecosystem. With its initiative, GitHub is providing a means to increase transparency about the origin of packages, as some of them could potentially contain harmful elements. Meanwhile, experts suggest the repository owners implement anti-bot techniques during the creation of a user account. Also, users are suggested to cross-check the authenticity of the packages before using them in their code.