Npm factory is very risky to use as hundreds more packages with backdoor found

JFrog cybersecurity specialists are investigating a wave of malicious Node Package Manager (npm) packages deployed by an unidentified threat actor. This threat was first detected on March 21, with 200 packages attempting to mimic legitimate software. According to the latest update, an automated script targeted scopes used by Microsoft Azure developers, including @azure, @azure-rest, @azure-tests, and more in the npm software registry.

This morning, Checkmarx researchers Aviad Gershon and Jossef Harush said the Supply Chain Security (SCS) team has also been tracking these activities and has recorded at least 600 malicious packages published over the past five days, bringing the number of threats already exceeding 700 malicious packages.

In an attempt to go unnoticed, the attacker has been using unique user accounts. “This is uncommon for automated attacks; typically, attackers create a single user and launch their attacks from an account. This indicates that the threat actor created an end-to-end management process, including user registration and approval of One-Time Password (OTP) challenges.”

As the JFrog report mentions, the attack is based on typos and names that mimic trusted packets using similar characters. In addition, the C&C server used to manage the overall attack infrastructure ( is also the location to which the compromised information is sent.

The C&C server appears to be running Interactsh, an open-source tool written in Go for data extraction. Checkmarx set up its own domain and server, with an Interactsh client to better understand the attacker’s method. Subsequently, the researchers wrote a script that opens NPM accounts on demand, using the SeleniumLibrary web testing software.

It is at this point that Interactsh becomes important. To bypass the OTP verification, employed by npm, Interactsh automatically extracts the OTP and sends it back to the registration form, allowing the account creation request to be completed properly.

Subsequently, the team adhered to the attacker’s method by creating an npm template package and a script capable of communicating with NPM utilities in the ‘login’ and ‘publish’ stages.

Both JFrog and Checkmarx have reported these malicious packages to NPM’s security team, in addition to the company providing the malicious C&C server being notified. The risk of attack is still active, so it will be up to users to adopt the necessary security measures before falling into the trap of hackers.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.