Security News > 2023 > February > NPM JavaScript packages abused to create scambait links in bulk
They existed simply as placeholders for README files that included the final links that the crooks wanted people to click on.
These links typically including referral codes that would net the scammers a modest reward, even if the person clicking through was doing so simply to see what on earth was going on.
Active-amazon-promo-codes-list-that-work-updates-daily-106 bingo-bash-free-bingo-chips-and-daily-bonus-222 call-of-duty-warzone-2400-points-for-free-gamerhash-com778 dice-dream-free-rolls evony-kings-return-upgrade-keep-level-35-without-spending-money779 fifa-mobile-23-new-toty-23-make-millions546 get-free-tiktok-followers505 how-can-i-get-my-snap-score-higher796 instagram followers bot free apk991 jackpot world free coins and jewels307 king-of-avalon-tips-and-tricks-to-get-free-gold429 lakers-shirt-nba-jersey023 .... Checkmarx also published a list of close to 200 web pages on which posts had been published that promoted and linked to these bogus NPM packages.
Any site with unmoderated or poorly-moderated comments could be peppered anonymously with this sort of rogue link, so just forcing all your community members to create an account on your site is not itself enough to control this sort of abuse.
Creating clickable links in many, if not most, online source code repositories is surprisingly easy, and automatically follows the look-and-feel of the site as a whole.
To create a link, just put some text in square brackets and follow it with a URL in round brackets.