NPM JavaScript packages abused to create scambait links in bulk

Johnathan Swift is probably most famous for his novel Gulliver’s Travels, during which the narrator, Lemuel Gulliver, encounters a socio-political schism in Liiliputian society caused by unending arguments over whether you should open a boiled egg at the big end or the little end.

This satirical observation has flowed diretly into modern computer science, with CPUs that represent integers with the least significant bytes at the lowest memory addresses called little-endian (that’s like writing the year AD 1984 as 4 8 9 1, in the sequenceunits-tens-hundreds-thousands), and those that put the most significant bytes first in memory (as numbers are conventionally written: 1 9 8 4) known as big-endian.

Swift, of course, gave us another satirical note that applies rather neatly to open-source supply chain attacks, where programmers decide to use project X, only to find that X depends on Y, which itself depends on Z, which depends on A, B and C, which in turn…

…you get the picture.

That observation came in a series of remarks about poets that appeared, appropriately enough, in a poem:

 So, Nat'ralists observe, a Flea Hath smaller Fleas that on him prey, And these have smaller yet to bite 'em, And so proceed ad infinitum

We’re not sure, but we’re guessing that the Great Vowel Shift was still not complete in the late 1600s and early 1700s, and that the -EA in Swift’s word Flea was pronounced then as we still, rather peculiarly, pronounce the -EY in prey today. Thus the poem would be read aloud with the sound flay to rhyme with pray. (This E-used-to-be-A business is why British people still say DARBY when they read the placename Derby, or BARKSHIRE when they visit Royal Berkshire.)

Flea stacks considered hamrful

We’ve therefore got used to the idea that rogue content uploaded to open source package repositories generally aims to inject itself unnoticed into the “flea stacks” of code dependencies that some products inadvertently download when updating automatically.

But researchers at supply-chain security testing outfit Checkmarx recently warned about a much less sophisticated, yet potentially much more intrusive, abuse of popular repositories: as phishing link “redirectors”.

Researchers noticed hundreds of online properties such as WordPress blogging sites that had been littered with scammy-looking posts…

…that linked off to thousands of URLs hosted in the NPM package repository.

But those “packages” didn’t exist to publish source code.

They existed simply as placeholders for README files that included the final links that the crooks wanted people to click on.

These links typically including referral codes that would net the scammers a modest reward, even if the person clicking through was doing so simply to see what on earth was going on.

The NPM package names weren’t exactly subtle, so you ought to spot them.

Fortunately, the crooks (inadvertently, we assume) managed to include their list of poisonous packages in one of their uploads.

Checkmarx has therefore published a list containing more than 17,000 unique bogus names, of which just a small sample (one each for the first few letters of the alphabet) shows you what sort of “goods and services” these crooks claim to offer:

active-amazon-promo-codes-list-that-work-updates-daily-106
bingo-bash-free-bingo-chips-and-daily-bonus-222
call-of-duty-warzone-2400-points-for-free-gamerhash-com778
dice-dream-free-rolls
evony-kings-return-upgrade-keep-level-35-without-spending-money779
fifa-mobile-23--new-toty-23-make-millions546
get-free-tiktok-followers505
how-can-i-get-my-snap-score-higher796
instagram_followers_bot_free_apk991
jackpot_world_free_coins_and_jewels307
king-of-avalon--tips-and-tricks-to-get-free-gold429
lakers-shirt-nba-jersey023
. . .

Checkmarx also published a list of close to 200 web pages on which posts had been published that promoted and linked to these bogus NPM packages.

It sounds as though the scammers already had usernames and passwords for some of these sites, which allowed them to post as named or otherwise “trusted” users and reviewers.

But any site with unmoderated or poorly-moderated comments could be peppered anonymously with this sort of rogue link, so just forcing all your community members to create an account on your site is not itself enough to control this sort of abuse.

Creating clickable links in many, if not most, online source code repositories is surprisingly easy, and automatically follows the look-and-feel of the site as a whole.

You don’t even need to create full-blown HTML layouts or CSS page styles – usually, you just create a file in the root directory of your project called README.md.

The extension .md is short for Markdown, a super-easy-to-use text markkup language (see what they did there?) that replaces the complex angle-bracket tags and attributes of HTML with simple text annotations.

To make text bold in Mardown, just put stars round it, so that **this bit** would be bold. For paragraphs, you just leave blank lines. To create a link, just put some text in square brackets and follow it with a URL in round brackets. To display an image from a URL instead of creating clickable text to it, put an exclamation point in front of the link, and so on.

What to do?

  • Don’t click “freebie” links, even if you find you are interested or intrigued. You don’t know where you’ll end up, but it will probably be in harm’s way. You may well also be creating bogus pay-per-click traffic for the crooks, and even though the amount for each click might be minuscule, why gift cybercriminals anything if you can help it?
  • Don’t fill in online surveys, no matter how harmless they seem. Checkmarx reported that many of these links end up with surveys and other “tests” to qualify you for “gifts” of some sort. The scale and breadth of this scamming exercise is a good reminder that fake “surveys” that each ask for small and apparently inconsequential gobbets of information about you aren’t collecting that data independently. It all ends up collated into one huge bucket of PII (personally identifiable information) that ultimately gives away much more you than you might expect. Filling in surveys gives free assistance to the next wave of scammers, so why why gift cybercriminals anything if you can help it?
  • Don’t run blogs or community sites that allow unmoderated posts or comments. You don’t have to force everyone to create a password if you don’t want to, but you should require a trusted human to approve every comment. If you can’t handle the volume of comment spam (which can be huge – though most blogging services have filtering tools that can help you get rid of most of it automatically), turn comments off. A bogus link in a comment is essentially a free service to scammers, so why gift cybercriminals anything if you can help it?

Remember…

think before you click, and if in doubt, don’t give it out!


go top