"New Campaigns Use Malicious npm Packages to Support Phishing Kits"

Several malicious npm packages on the open-source repository have been used in supply chain attacks and phishing campaigns, according to researchers at ReversingLabs.  The researchers noted that the packages pose a dual threat, affecting application end users while also supporting email-based phishing attacks, mainly targeting Microsoft 365 users.  The researchers discovered more than a dozen malicious npm packages posted between May 11 and June 13.  These packages imitated legitimate modules, such as jquery, which has millions of weekly downloads.  The researchers stated that although the malicious packages were downloaded roughly 1000 times, they were swiftly removed from npm after detection.  ReversingLabs has named this campaign “Operation Brainleeches” due to the malicious infrastructure used to facilitate the theft of victim data.  In the first part of the campaign, the researchers identified six packages used exclusively in phishing attacks.  These packages were linked to phishing campaigns that harvested user data through deceptive Microsoft[.]com login forms delivered via malicious email attachments.  The second tranche comprised seven packages targeting email phishing campaigns and software supply chain attacks.  The researchers noted that these packages aimed to implant credential harvesting scripts into applications that unwittingly incorporated the malicious npm packages.  During the analysis, the researchers revealed that the malicious npm packages played a role in active phishing attacks, likely conducted by low-skilled actors.  While the full extent of the supply chain attack is unclear, using obfuscated code and invocating popular package names like jquery raise concerns about potential compromises.

Infosecurity reports: "New Campaigns Use Malicious npm Packages to Support Phishing Kits"