Threat Watch

Open-Source Repositories Flooded by +144,000 Phishing Packages

A new phishing campaign has been detected by researchers at Checkmarx and Illustria where an unknown threat actor has uploaded a total of 144,294 phishing packages on the open-source repositories NPM, PyPi, and Nuget. The malicious packages were uploaded between Q2 of 2021 and Q3 of 2022, with roughly 133,000 occurring over a weeklong span in February 2022. Nuget had the largest share of malicious packages at 136,258 uploaded while PyPi had 7,894 and NPM had 212. Each of the packages were uploaded by usernames in the format “<a-z><1900-2022>” and had similar project names and descriptions. The names were often related to hacking, cheats, and other free resources and the descriptions contained links to different phishing websites. Due to similarities in the usernames and descriptions, coupled with the large spike of uploads in February 2022, this was assessed by researchers to be related to automation.

When investigating the packages, the researchers found the packages linked to over 65,000 unique URLs on 90 domains. In terms of a typical phishing campaign, the websites were relatively well designed and even included fake interactive chats. The ultimate goal of these pages appears to be credential harvesting. After interacting with the initial page, the users are then redirected to numerous surveys that appear to be related to affiliate marketing. When the packages were reported to the repository administrators, most of them were removed.


This campaign highlights two problems for the cybersecurity space – the increase in the frequency and sophistication of phishing as well as the increase in automated attacks. As time has gone on, the sophistication of phishing campaigns has increased significantly, with the interactive chat dialogue being an example from this campaign. This sophistication has allowed phishing campaigns to be much more successful, and in turn has led to an increase in the frequency of phishing attacks by other actors, causing phishing to become one of the primary tactics used for initial access. This increase also causes many users to become fatigued by the amount of phishing emails they receive, which also results in more successful campaigns. When these problems are coupled with automation, the problem is then increased tenfold, as an attacker can flood emails, package repositories, or other sites with malicious links on a schedule, or at an abnormal volume, making them harder to detect and remove in a reasonable amount of time, causing fatigue to blue teams as well. For organizations, the best control against activity such as this would be to monitor for mass account creations and to monitor for large spikes in site activity.

How 140k NuGet, NPM, and PyPi Packages Were Used to Spread Phishing Links