The findings build on recent reviews from JFrog and Sonatype. Both companies detailed numerous NPM packages that leverage techniques like dependency-confusion and typosquatting to focus on Uber, Airbnb, and Azure builders. Checkmarx mentioned that the first evidence of anomalous activities happened on February 23, 2022, when the cluster of destructive packages were published in “bursts” over seven days. The automation process for uploading the rogue libraries to NPM uses a combination of custom Python code and web screening tools like Selenium to simulate user actions needed to replicate the user creation process in the registry. After creating a new NPM user account, attackers use a malicious package, one per account, allowing the attacker to publish a package without requiring an email One Time Password (OTP). “As supply chain attackers improve their skills and make life harder for their defenders, this attack marks another milestone in their progress. By distributing the packages across multiple usernames, the attacker makes it harder for defenders to correlate take them all down with one stroke,” Checkmarx said.

https://thehackernews.com/2022/03/a-threat-actor-dubbed-red-lili-has-been.html

A Beautiful Factory for Malicious Packages