Security experts have urged the npm registry to deploy anti-bot technology after revealing that the open source repository has suffered intermittent denial of service (DoS) outages over the past month.
Npm is self-styled as the largest software registry in the world, containing over two million JavaScript packages for download.
Although it has been hit by spam campaigns in the past, the past four weeks have witnessed “by far the worst one we’ve seen yet,” according to Checkmarx head of software supply chain security, Jossef Harush Kadouri.
Read more on npm registry threats: Hundreds of Malicious Packages Found in npm Registry.
“Apparently, attackers found the unvetted open source ecosystem as an easy target to perform SEO poisoning for various malicious campaigns. As long as the name is untaken, they can publish an unlimited number of packages,” he explained in a blog post yesterday.
“Typically, the number of package versions released on npm is approximately 800,000. However, in the past month, the figure exceeded 1.4 million.”
Many of these are “empty” packages whose sole purpose is to link to malicious websites created for the purpose by the threat actor, Kadouri said.
As open source registries like npm have a good reputation on search engines, any new packages are bumped to the top of indexes, making them more visible to users, he added.
“The unstoppable load created by those automated scripts made npm unstable with sporadic ‘Service Unavailable’ errors. I can witness in the past week it happened to me and my colleagues many times,” Kadouri claimed.
“We mapped several campaigns, and we believe they are all likely operated by the same threat actor, although we can’t confirm that at this time.”
Kadouri urged npm to utilize anti-bot technology in a bid to curb these automated campaigns – especially in the new user registration process.
“The battle against threat actors poisoning our software supply chain ecosystem continues to be challenging, as attackers constantly adapt and surprise the industry with new and unexpected techniques,” he concluded.