Checkmarx has discovered a threat related to the activity of the RED-LILI attacker, which has been noted for creating and delivering hundreds of malicious packages to the NPM ecosystem in automated mode, which raises serious concerns in the context of attacks on dependency chains, especially against the backdrop of recent incidents of sabotage by individual developers.

According to Checkmarx, RED-LILI has fully automated the process of creating NPM accounts to carry out dependency confusion attacks that are difficult to detect.

Typically, attackers use an anonymous NPM disposable account for this purpose, from which they launch their attacks. In this situation, the attacker completely automated the process of their creation by creating dedicated accounts for each package with a malicious attachment.

The actor is currently still active and continues to churn out malicious packets. So far, the researchers have discovered and tracked about 800 packages, most of which had a unique user account for each, created within one week.

At the same time, the package names were methodically chosen, and the names of the users publishing them were randomly generated strings, including such as 5t7crz72 and d4ugwerp.

Everything points to the attacker building an end-to-end automation process, including user registration and OTP call passing, as well as hiding malicious NPM packages.

If before this incident there were cases of publishing malicious payloads in a semi-automatic mode, then RED-LILI organized everything in a fully automated format, significantly increasing the chances of infection. And this fact marks a new trend in the threat landscape in the NPM ecosystem. Of course, negative processes will only progress.

The company rolled out the full list of malicious packages in its documentation. (https://checkmarx.com/blog/a-beautiful-factory-for-malicious-packages/)

bbabo.Net