The npm registry, which self-identifies as the largest software registry globally, has experienced repeated denial of service outages in recent weeks.
Checkmarx’s head of software supply chain security, Jossef Harush Kadouri, identified the malicious campaigns behind the attacks as being the worst the company had ever seen.
Attackers exploited the unvetted open-source ecosystem, using search engine optimisation poisoning for their campaigns.
At the same time, Kadouri explained that the attackers can publish an unlimited number of packages, and although spam campaigns had occurred before, the past four weeks had seen a significant increase, with empty packages linking to malicious websites forming the bulk of the attacks.
As open-source registries have a good reputation, new packages are pushed to the top of search engines, making them more visible to users. The automated scripts used by the attackers created an unstoppable load on npm, causing sporadic service unavailable errors.
Furthermore, Kadouri stated that he and his colleagues had experienced the problem multiple times over the previous week, and although they believed the campaigns were being operated by the same threat actor, they could not confirm this. Kadouri called on npm to employ anti-bot technology, primarily during the new user registration process, to reduce the impact of these automated campaigns.
Finally, threat actors continue to present challenges in the fight against poisoning the software supply chain ecosystem, and the industry must be vigilant and proactive in combating new and unexpected techniques.
