Security Experts:

Connect with us

Hi, what are you looking for?



Checkmarx Finds Threat Actor ‘Fully Automating’ NPM Supply Chain Attacks

Threat hunters at Checkmarx on Monday raised an alarm after discovering a threat actor fully automating the creation and delivery of “hundreds of malicious packages” into the NPM ecosystem.

Threat hunters at Checkmarx on Monday raised an alarm after discovering a threat actor fully automating the creation and delivery of “hundreds of malicious packages” into the NPM ecosystem.

The Checkmarx warning comes on the heels of Snyk’s discovery of “deliberate sabotage” of NPM package managers and raises new concerns about the software supply chain threat landscape.

According to an advisory from Checkmarx, a threat actor flagged as RED-LILI has “fully automated” the process of NPM account creation to launch difficult-to-detect dependency confusion attacks.

“Customarily, attackers use an anonymous disposable NPM account from which they launch their attacks. As it seems this time, the attacker has fully-automated the process of NPM account creation and has opened dedicated accounts, one per package, making his new malicious packages batch harder to spot,” said Jossef Harush, head of Checkmarx’s supply chain security engineering group.

[ READ: Snyk Warns of ‘Deliberate Sabotage’ of NPM Ecosystem ]

The threat actor is currently still active “and continues to publish malicious packages,” Checkmarx added.

Harush said his team observed the attacker publishing approximately 800 packages, most of them having a unique user account per package, in bursts over the span of roughly one week. 

“While the packages names were methodically picked, the names of the users publishing them were randomly generated strings such as “5t7crz72″ and “d4ugwerp”. This is uncommon for the automated attacks we see. Usually, attackers create a single user and burst their attacks over it.” 

“From this behavior, we can conclude that the attacker built an automation process from end to end, including registering users and passing the OTP challenges,” he explained.

[ READ: ‘Secrets Sprawl’ Haunts Software Supply Chain Security ]

The company shared the full list of malicious packages in its documentation of the attacks and Harush warns that a resourceful attacker with the ability to fully automate – and hide – malicious NPM packages is a worrying sign. 

“Until this incident, we’ve witnessed that most attack actors publish malicious payloads at scale doing things semi-automatically. This one is doing it on FULL-AUTO,” Checkmarx said. 

“As supply chain attackers improve their skills and make life harder for their defenders, this attack marks another milestone in their progress. By distributing the packages across multiple usernames, the attacker makes it harder for defenders to correlate and take them all down with “one stroke.” By that, of course, making the chances of infection higher.”

Over the last year, the NPM ecosystem has been haunted by several major security incidents, including the discovery of malware in several popular NPM packages and the confirmation of major security defects in widely deployed code.

Related: Critical Severity’ Warning: Malware Found in Popular NPM packages

Related: Snyk Warns of ‘Deliberate Sabotage’ of NPM Ecosystem

Related: GitHub Confirms Another Major NPM Security Defect 

Related: OpenSSF Alpha-Omega Project Tackles Supply Chain Security 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.