Security Experts:

Checkmarx Finds Threat Actor 'Fully Automating' NPM Supply Chain Attacks

Threat hunters at Checkmarx on Monday raised an alarm after discovering a threat actor fully automating the creation and delivery of "hundreds of malicious packages" into the NPM ecosystem.

The Checkmarx warning comes on the heels of Snyk’s discovery of "deliberate sabotage" of NPM package managers and raises new concerns about the software supply chain threat landscape.

According to an advisory from Checkmarx, a threat actor flagged as RED-LILI has “fully automated” the process of NPM account creation to launch difficult-to-detect dependency confusion attacks.

"Customarily, attackers use an anonymous disposable NPM account from which they launch their attacks. As it seems this time, the attacker has fully-automated the process of NPM account creation and has opened dedicated accounts, one per package, making his new malicious packages batch harder to spot," said Jossef Harush, head of Checkmarx’s supply chain security engineering group.

[ READ: Snyk Warns of 'Deliberate Sabotage' of NPM Ecosystem ]

The threat actor is currently still active "and continues to publish malicious packages," Checkmarx added.

Harush said his team observed the attacker publishing approximately 800 packages, most of them having a unique user account per package, in bursts over the span of roughly one week. 

"While the packages names were methodically picked, the names of the users publishing them were randomly generated strings such as "5t7crz72" and “d4ugwerp”. This is uncommon for the automated attacks we see. Usually, attackers create a single user and burst their attacks over it." 

"From this behavior, we can conclude that the attacker built an automation process from end to end, including registering users and passing the OTP challenges," he explained.

[ READ: 'Secrets Sprawl' Haunts Software Supply Chain Security ]

The company shared the full list of malicious packages in its documentation of the attacks and Harush warns that a resourceful attacker with the ability to fully automate – and hide – malicious NPM packages is a worrying sign. 

"Until this incident, we've witnessed that most attack actors publish malicious payloads at scale doing things semi-automatically. This one is doing it on FULL-AUTO," Checkmarx said. 

"As supply chain attackers improve their skills and make life harder for their defenders, this attack marks another milestone in their progress. By distributing the packages across multiple usernames, the attacker makes it harder for defenders to correlate and take them all down with "one stroke." By that, of course, making the chances of infection higher."

Over the last year, the NPM ecosystem has been haunted by several major security incidents, including the discovery of malware in several popular NPM packages and the confirmation of major security defects in widely deployed code.

Related: Critical Severity’ Warning: Malware Found in Popular NPM packages

Related: Snyk Warns of 'Deliberate Sabotage' of NPM Ecosystem

Related: GitHub Confirms Another Major NPM Security Defect 

Related: OpenSSF Alpha-Omega Project Tackles Supply Chain Security 

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends. Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.