Several malicious npm packages on the open-source repository have been used in supply chain attacks and phishing campaigns.
The claims come from ReversingLabs researchers, who said in a blog post published on Thursday the packages pose a dual threat, affecting application end users while also supporting email-based phishing attacks, mainly targeting Microsoft 365 users.
Software threat researcher Lucija Valentić said the team discovered more than a dozen malicious npm packages posted between May 11 and June 13.
These packages imitated legitimate modules, such as jquery, which has millions of weekly downloads. Although the malicious packages were downloaded roughly 1000 times, they were swiftly removed from npm after detection.
ReversingLabs has named this campaign “Operation Brainleeches” due to the malicious infrastructure used to facilitate the theft of victim data.
In the first part of the campaign, researchers identified six packages used exclusively in phishing attacks. These packages were linked to phishing campaigns that harvested user data through deceptive Microsoft.com login forms delivered via malicious email attachments.
The second tranche comprised seven packages targeting email phishing campaigns and software supply chain attacks. These packages aimed to implant credential harvesting scripts into applications that unwittingly incorporated the malicious npm packages.
ReversingLabs’ analysis revealed that the malicious npm packages played a role in active phishing attacks, likely conducted by low-skilled actors. While the full extent of the supply chain attack is unclear, using obfuscated code and invocating popular package names like jquery raise concerns about potential compromises.
Valentić said the discovery emphasizes the importance of organizations remaining vigilant against malicious or compromised open-source packages.
“This campaign further underscores the need for organizations to be on the lookout for signs that open-source packages could be malicious or compromised. Often, these attacks hinge on developer inattention to small details in naming, but that’s not all,” she added.
“The use of obfuscated code is a major warning sign. Other indicators include suspicious naming and package versioning, new packages with sketchy histories, smaller than expected downloads and dependencies, and more.”
It is also crucial to scrutinize the features and behavior of third-party code and track dependencies to detect potential threats.