Threat Watch

A Large-Scale Supply Chain Attack Spanning Over 800 Malicious NPM Packages

A threat actor called “RED-LILI” is connected to an ongoing, significant-scale supply chain attack campaign concentrating on the NPM package repository by publishing over 800 malicious modules. “Customarily, attackers use an anonymous, disposable NPM account from which they launch their attacks. As it seems this time, the attacker has fully-automated the process of NPM account creation and has opened dedicated accounts, one per package, making his new malicious packages batch harder to spot,” reads the report published by the Israeli software security company Checkmarx.


The findings build on recent reviews from JFrog and Sonatype. Both companies detailed numerous NPM packages that leverage techniques like dependency-confusion and typosquatting to focus on Uber, Airbnb, and Azure builders. Checkmarx mentioned that the first evidence of anomalous activities happened on February 23, 2022, when the cluster of destructive packages were published in “bursts” over seven days. The automation process for uploading the rogue libraries to NPM uses a combination of custom Python code and web screening tools like Selenium to simulate user actions needed to replicate the user creation process in the registry. After creating a new NPM user account, attackers use a malicious package, one per account, allowing the attacker to publish a package without requiring an email One Time Password (OTP). “As supply chain attackers improve their skills and make life harder for their defenders, this attack marks another milestone in their progress. By distributing the packages across multiple usernames, the attacker makes it harder for defenders to correlate take them all down with one stroke,” Checkmarx said.

A Beautiful Factory for Malicious Packages