14.4K phishing emails flood open-source repositories

An unknown threat actor has uploaded an enormous 144,294 packages phishing-related to open-source repository repositories. This includes NPM, PyPi and NuGet.

Automation was the cause of the large-scale attack. The packages were downloaded from accounts that used a specific naming scheme. They had similar descriptions and lead to the same 90 domains hosting over 65,000 Phishing pages.

This operation supports fake apps, prizes-winning surveys and gift cards. It also promotes giveaways. They may even refer others to AliExpress.

It was a huge operation

Analysts at , and Illustria discovered the phishing scheme and worked with each other to map and uncover the impact on the open-source software community.

NuGet was the most popular host for malicious package uploads. It had 134,558 infections while PyPI had 7,894 and NPM had only 212.

The phishing package was uploaded to troves in just a few days. This is often a sign that malicious activity has occurred.

Diagram of malicious package uploads


In the package description was the URL for the phishing websites. This was done in hopes that links from repositories will increase their SEO.

The package descriptions encouraged users to click on links in order to find out more about the alleged hack tools and gift cards codes.

Malicious package description


In certain cases, threat actors may promote counterfeit Steam gift cards generators and Play Station Network electronic-gift card codes. Play Store credits are also available.

Nearly all these websites require visitors to input their username and passwords. This is the place where the phishing step occurs.

Sample of the malicious websites


Fake sites have an element which looks like the generator, but it fails to work when people try to use it. They ask for human verification.

The threat actors then redirect the traffic to various survey websites, eventually landing on legit e-commerce sites using their affiliate links. This is how they generate income from their campaign.

Refferal ID on final destination of the victim in the campaign


The stolen email addresses, usernames, and game account passwords are also possible to be made a profit. These data can often be sold in bulk on darknet and hacking forums.

NuGet was informed by security experts who found this infection. All packages were removed from the list.

The threat actors could, however, reintroduce the threat by using different packages and accounts, given the way they upload so many packages quickly.

This IoC text file contains a complete listing of URLs that were used for this campaign.