Researchers continue to investigate a wave of malicious npm packages, with the published tally now reaching over 700.
Last week, JFrog researchers disclosed the scheme in which an unknown threat actor had published at least 200 malicious Node Package Manager (npm) packages. The team said that the repositories were first detected on March 21 and grew rapidly, with each npm package deliberately named to mimic legitimate software.
An automated script targeted scopes used by Microsoft Azure developers, including @azure, @azure-rest, @azure-tests, and more, in the npm software registry.
On Monday, Checkmarx researchers Aviad Gershon and Jossef Harush said the Supply Chain Security (SCS) team has also been tracking these activities and have recorded over 600 malicious packages published over five days, bringing the total to over 700.
To try and keep the attacks under the radar, the miscreant responsible has been using unique user accounts.
“This is uncommon for the automated attacks we see; usually, attackers create a single user and burst their attacks over it,” Checkmarx says. “From this behavior, we can conclude that the attacker built an automation process from end to end, including registering users and passing the OTP challenges.”
According to Checkmarx, the attacker’s “factory” is developing malicious npm packages relying