After recent reports of security researcher Alex Birsan compromising large companies like Microsoft, Apple, Paypal and Netflix through the NPM package repository, Sonatype has spotted over 275 new malicious packages copying Birsan’s concept.
Code for the package “shopify-cloud,” a malicious package identified in the Sonatype report, is seen setting DNS servers to an attacker-controlled source. Another package identified by BleepingComputer also set DNS to an attacker-controlled source but left comments from Birsan’s proof of concept code, including his email address and Twitter handle. Birsan confirmed that he did not post the new packages, and that every NPM package he published has been under his clearly identified account and all of his published packages collect the same minimally invasive information. He suggested that other researchers or threat actors are likely copying the concept that he popularized in order to earn bug bounty rewards or in attempts to actually compromise targets.