Security News > 2022 > March > A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages

A threat actor dubbed "RED-LILI" has been linked to an ongoing large-scale supply chain attack campaign targeting the NPM package repository by publishing nearly 800 malicious modules.

"As it seems this time, the attacker has fully-automated the process of NPM account creation and has opened dedicated accounts, one per package, making his new malicious packages batch harder to spot."

The findings build on recent reports from JFrog and Sonatype, both of which detailed hundreds of NPM packages leveraging techniques like dependency confusion and typosquatting to target Azure, Uber, and Airbnb developers.

According to a detailed analysis of RED-LILI's modus operandi, earliest evidence of anomalous activity is said to have occurred on February 23, 2022, with the cluster of malicious packages published in "Bursts" over a span of a week.

Armed with this brand new NPM user account, the threat actor then proceeds to create and publish a malicious package, only one per account, in an automated fashion, but not before generating an access token so as to publish the package without requiring an email OTP challenge.

"As supply chain attackers improve their skills and make life harder for their defenders, this attack marks another milestone in their progress," the researchers said.

News URL

https://thehackernews.com/2022/03/a-threat-actor-dubbed-red-lili-has-been.html