NPM JavaScript packages abused to create scambait links in bulk
Johnathan
Swift
is
probably
most
famous
for
his
novel
Gulliver’s
Travels,
during
which
the
narrator,
Lemuel
Gulliver,
encounters
a
socio-political
schism
in
Liiliputian
society
caused
by
unending
arguments
over
whether
you
should
open
a
boiled
egg
at
the
big
end
or
the
little
end.
This
satirical
observation
has
flowed
diretly
into
modern
computer
science,
with
CPUs
that
represent
integers
with
the
least
significant
bytes
at
the
lowest
memory
addresses
called
little-endian
(that’s
like
writing
the
year
AD
1984
as
4 8 9 1
(units-tens-hundreds-thousands),
and
those
that
put
the
most
significant
bytes
first
in
memory
(as
numbers
are
conventionally
written:
)
1 9 8 4
known
as
big-endian.
Swift,
of
course,
gave
us
another
satirical
note
that
applies
rather
neatly
to
open-source
supply
chain
attacks,
where
programmers
decide
to
use
project
X,
only
to
find
that
X
depends
on
Y,
which
itself
depends
on
Z,
which
depends
on
A,
B
and
C,
which
in
turn…
…you
get
the
picture.
That
observation
came
in
a
series
of
remarks
about
poets
that
appeared,
appropriately
enough,
in
a
poem:
So, Nat'ralists observe, a Flea Hath smaller Fleas that on him prey, And these have smaller yet to bite 'em, And so proceed ad infinitum
We’re
not
sure,
but
we’re
guessing
that
the
Great
Vowel
Shift
was
still
not
complete
in
the
late
1600s
and
early
1700s,
and
that
the
-EA
in
Swift’s
word
Flea
was
pronounced
then
as
we
still,
rather
peculiarly,
pronounce
the
-EY
in
prey
today.
Thus
the
poem
would
be
read
aloud
with
the
sound
flay
to
rhyme
with
pray.
(This
E-used-to-be-A
business
is
why
British
people
still
say
DARBY
when
they
read
the
placename
Derby,
or
BARKSHIRE
when
they
visit
Royal
Berkshire.)
Flea
stacks
considered
hamrful
We’ve
therefore
got
used
to
the
idea
that
rogue
content
uploaded
to
open
source
package
repositories
generally
aims
to
inject
itself
unnoticed
into
the
“flea
stacks”
of
code
dependencies
that
some
products
inadvertently
download
when
updating
automatically.
But
researchers
at
supply-chain
security
testing
outfit
Checkmarx
recently
warned
about
a
much
less
sophisticated,
yet
potentially
much
more
intrusive,
abuse
of
popular
repositories:
as
phishing
link
“redirectors”.
Researchers
noticed
hundreds
of
online
properties
such
as
WordPress
blogging
sites
that
had
been
littered
with
scammy-looking
posts…
…that
linked
off
to
thousands
of
URLs
hosted
in
the
NPM
package
repository.
But
those
“packages”
didn’t
exist
to
publish
source
code.
They
existed
simply
as
placeholders
for
README
files
that
included
the
final
links
that
the
crooks
wanted
people
to
click
on.
These
links
typically
including
referral
codes
that
would
net
the
scammers
a
modest
reward,
even
if
the
person
clicking
through
was
doing
so
simply
to
see
what
on
earth
was
going
on.
The
NPM
package
names
weren’t
exactly
subtle,
so
you
ought
to
spot
them.
Fortunately,
the
crooks
(inadvertently,
we
assume)
managed
to
include
their
list
of
poisonous
packages
in
one
of
their
uploads.
Checkmarx
has
therefore
published
a
list
containing
more
than
17,000
unique
bogus
names,
of
which
just
a
small
sample
(one
each
for
the
first
few
letters
of
the
alphabet)
shows
you
what
sort
of
“goods
and
services”
these
crooks
claim
to
offer:
active-amazon-promo-codes-list-that-work-updates-daily-106 bingo-bash-free-bingo-chips-and-daily-bonus-222 call-of-duty-warzone-2400-points-for-free-gamerhash-com778 dice-dream-free-rolls evony-kings-return-upgrade-keep-level-35-without-spending-money779 fifa-mobile-23--new-toty-23-make-millions546 get-free-tiktok-followers505 how-can-i-get-my-snap-score-higher796 instagram_followers_bot_free_apk991 jackpot_world_free_coins_and_jewels307 king-of-avalon--tips-and-tricks-to-get-free-gold429 lakers-shirt-nba-jersey023 . . .
Checkmarx
also
published
a
list
of
close
to
200
web
pages
on
which
posts
had
been
published
that
promoted
and
linked
to
these
bogus
NPM
packages.
It
sounds
as
though
the
scammers
already
had
usernames
and
passwords
for
some
of
these
sites,
which
allowed
them
to
post
as
named
or
otherwise
“trusted”
users
and
reviewers.
But
any
site
with
unmoderated
or
poorly-moderated
comments
could
be
peppered
anonymously
with
this
sort
of
rogue
link,
so
just
forcing
all
your
community
members
to
create
an
account
on
your
site
is
not
itself
enough
to
control
this
sort
of
abuse.
Creating
clickable
links
in
many,
if
not
most,
online
source
code
repositories
is
surprisingly
easy,
and
automatically
follows
the
look-and-feel
of
the
site
as
a
whole.
You
don’t
even
need
to
create
full-blown
HTML
layouts
or
CSS
page
styles
–
usually,
you
just
create
a
file
in
the
root
directory
of
your
project
called
.
README.md
The
extension
.md
is
short
for
Markdown,
a
super-easy-to-use
text
markkup
language
(see
what
they
did
there?)
that
replaces
the
complex
angle-bracket
tags
and
attributes
of
HTML
with
simple
text
annotations.
To
make
text
bold
in
Mardown,
just
put
stars
round
it,
so
that
**this
bit**
would
be
bold.
For
paragraphs,
you
just
leave
blank
lines.
To
create
a
link,
just
put
some
text
in
square
brackets
and
follow
it
with
a
URL
in
round
brackets.
To
display
an
image
from
a
URL
instead
of
creating
clickable
text
to
it,
put
an
exclamation
point
in
front
of
the
link,
and
so
on.
What
to
do?
-
Don’t
click
“freebie”
links,
even
if
you
find
you
are
interested
or
intrigued.
You
don’t
know
where
you’ll
end
up,
but
it
will
probably
be
in
harm’s
way.
You
may
well
also
be
creating
bogus
pay-per-click
traffic
for
the
crooks,
and
even
though
the
amount
for
each
click
might
be
minuscule,
why
gift
cybercriminals
anything
if
you
can
help
it? -
Don’t
fill
in
online
surveys,
no
matter
how
harmless
they
seem.
Checkmarx
reported
that
many
of
these
links
end
up
with
surveys
and
other
“tests”
to
qualify
you
for
“gifts”
of
some
sort.
The
scale
and
breadth
of
this
scamming
exercise
is
a
good
reminder
that
fake
“surveys”
that
each
ask
for
small
and
apparently
inconsequential
gobbets
of
information
about
you
aren’t
collecting
that
data
independently.
It
all
ends
up
collated
into
one
huge
bucket
of
PII
(personally
identifiable
information)
that
ultimately
gives
away
much
more
you
than
you
might
expect.
Filling
in
surveys
gives
free
assistance
to
the
next
wave
of
scammers,
so
why
why
gift
cybercriminals
anything
if
you
can
help
it? -
Don’t
run
blogs
or
community
sites
that
allow
unmoderated
posts
or
comments.
You
don’t
have
to
force
everyone
to
create
a
password
if
you
don’t
want
to,
but
you
should
require
a
trusted
human
to
approve
every
comment.
If
you
can’t
handle
the
volume
of
comment
spam
(which
can
be
huge
–
though
most
blogging
services
have
filtering
tools
that
can
help
you
get
rid
of
most
of
it
automatically),
turn
comments
off.
A
bogus
link
in
a
comment
is
essentially
a
free
service
to
scammers,
so
why
gift
cybercriminals
anything
if
you
can
help
it?
Remember…
…think
before
you
click,
and
if
in
doubt,
don’t
give
it
out!