HQ/EMEAFind out how we can help your business
Open-source repositories such as PyPi, NuGet, and NPM were flooded by nearly 150,000 phishing-related packages from unknown threat actors.
Based on reports, the packages were uploaded by the threat actors from accounts that use a specific naming scheme, featured similar descriptions, and led to the same collection of about 90 domains that store more than 65,000 phishing pages.
This operation promotes prize-winning surveys, gift cards, fake applications, giveaways, and more. In addition, some attacks redirect victims to AliExpress through referral links.
NuGet received the most malicious packages among the open-source repositories.
NuGet is one of the well-known open-source repositories, but the entity has taken a hit after it holds the most significant number of malicious packages. NuGet stores about 136,000 phishing-related packages, PyPI has over 7000, and NPM only keeps about 200+.
Hackers deploy the phishing packages within two days, which usually indicates that the operation is from malicious threat actors. The link to the phishing sites was implanted in the package description to increase the SEO score of their websites.
The phishing-related packages also encourage its user to access the attached links to get more information on how to claim the actors’ fake gift card codes, hacking kits, and apps. In other instances, the threat actors endorse phoney Steam gift card generators, Play Store credits, YouTube subscriber generators, Play Station Network e-gift card codes, and Instagram followers generators.
Furthermore, the fake sites from the packages feature an aspect identical to the fake free generator. Once the user uses the tool, it will fail to operate and will ask for human verification to function.
This method starts a series of redirections to survey sites that will eventually land on legitimate e-commerce websites through affiliated links. Hence, the miscreants will gain revenue from the campaign.
The researchers who identified the malicious campaign notified NuGet about the operation, and all the listed packages have been removed. Still, the campaign is an automated method that the actors abuse to upload numerous packages in just a few days. These actors could rename their packages and re-introduce them to the repositories.
