A phishing group has uploaded over 144,000 malicious open source packages to three open source repositories, in a major new automated campaign, according to Checkmarx.
Working with fellow security vendor Illustria, the firm first discovered the campaign a few months ago when it noticed large clusters of packages published to the NuGet package manager.
It discovered 135,000 such packages were uploaded by the same threat actor to the same platform, with a further 212 on npm and 7824 on PyPi.
The packages in question featured phishing links designed to harvest victims’ email address, username and passwords for various accounts. Some also took victims to legitimate sites like e-commerce marketplace AliExpress, which generated referral fees for the threat actors.
“The messages in these packages attempt to entice readers into clicking links with promises of game cheats, free resources and increased followers and likes on social media platforms like TikTok and Instagram,” said Checkmarx.
“The phishing campaign linked to over 65,000 unique URLs on 90 domains, with each domain hosting multiple phishing webpages under different paths. The deceptive webpages are well-designed and, in some cases, even include fake interactive chats that appear to show users receiving the cheats or followers they were promised.”
Checkmarx claimed that the group wanted to improve the search engine optimization (SEO) of its phishing sites by linking them to legitimate websites like NuGet.
A high degree of automation was the key to the campaign, it added.
“This allowed them to publish a large number of packages in a short period of time, making it difficult for the different security teams to identify and remove the packages quickly,” concluded Checkmarx.
“Automating the process also allowed the attackers to create a large number of user accounts, making it difficult to trace the source of the attack. This shows the sophistication and determination of these attackers, who were willing to invest significant resources in order to carry out this campaign.”
Although the offending packages have been unlisted from NuGet's search results, they are still available on the website, Checkmarx warned.