15,000 phishing packages found in NPM repository

A blog report by Checkmarx has found over 15,000 phishing packages in the NPM repository. The packages were designed to mimic legitimate packages, but actually contained malicious code that would steal sensitive information from users.

The phishing packages were uploaded to the npm repository by attackers who were able to bypass the security measures in place. The packages were able to remain undetected for a period of time, potentially putting many users at risk.

The Phishing campaign

The attack started between February 20 and 21 through an automated process and multiple accounts. By using an automated process and multiple user accounts, the attackers were able to distribute the phishing links quickly and evade detection by security teams.

The use of automated processes and multiple accounts is a common tactic used by attackers to amplify their efforts and evade detection. These techniques can make it difficult for security teams to identify and respond to attacks in a timely manner, highlighting the importance of proactive measures like vulnerability scanning, threat intelligence gathering, and user awareness training.

It is concerning to see how the attackers behind this incident were able to use enticing package names related to popular games, social media platforms, and free resources to lure users into clicking on the phishing links. Some of the examples include “free-tiktok-followers” and “free-xbox-codes,”

Furthermore, the fact that the attackers were able to direct some users to eCommerce sites with referral IDs highlights the potential financial gain for threat actors who engage in phishing campaigns like this. This underscores the importance of being vigilant when browsing and clicking on links, and taking steps to verify the authenticity of websites and services before entering any sensitive information.

As the Checkmarx researcher noted, while the consequences of this specific attack may not appear as severe as some other open-source vulnerabilities, it is still a serious issue that could easily be adapted to cause significant harm in the future. Therefore, it is important for developers, security teams, and end-users to stay informed about the latest threats and take proactive steps to protect against them.

What is NPM?

NPM (short for Node Package Manager) is a package manager for the JavaScript programming language. It is a free and open-source tool that allows developers to easily share and reuse code written in JavaScript.

With NPM, developers can browse and install packages from a vast online repository of over 1 million open-source packages. These packages contain pre-written code that developers can use to build web applications, APIs, command-line tools, and other software projects.

NPM is widely used in the JavaScript community and is the default package manager for the Node.js runtime environment, which is also based on JavaScript. Developers can use NPM to manage dependencies in their Node.js projects, ensuring that all required packages are installed and up-to-date.

In addition to managing dependencies, NPM also provides tools for publishing and sharing packages, managing user access and permissions, and versioning packages. This makes it easy for developers to collaborate on projects and share code with others in the community.


Checkmarx is a software security company that provides solutions and services to help organisations manage and mitigate software security risks. The company offers a range of products and services, including static application security testing (SAST), dynamic application security testing (DAST), software composition analysis (SCA), and interactive application security testing (IAST), among others.

Checkmarx’s solutions are designed to help organisations identify and remediate vulnerabilities in their software applications throughout the software development lifecycle, from code development to deployment and maintenance. The company’s products are used by developers, security professionals, and DevOps teams across a variety of industries, including financial services, healthcare, and government.

In addition to its software security solutions, Checkmarx also provides training and consulting services to help organisations improve their overall software security posture. The company is headquartered in Atlanta, Georgia and has offices in the United States, Europe, and Asia-Pacific.


  1. David Blake Avatar
    David Blake

    The best protection from phishing attack is awareness and education. Don’t open attachments or links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL. Never provide your personal information in response to an unsolicited request, whether it is over the phone or over the Internet.

  2. Larry Colt Avatar
    Larry Colt

    The discovery of over 15,000 phishing packages in the NPM repository is concerning and highlights the need for proactive measures to protect against cyber attacks. The use of automated processes and multiple accounts to distribute phishing links makes it difficult for security teams to identify and respond to attacks. The fact that attackers were able to use enticing package names related to popular games and social media platforms to lure users into clicking on the phishing links underscores the need for caution when browsing and clicking on links.

Join the Discussion

Discover more from Domain Magazine

Subscribe now to keep reading and get access to the full archive.

Continue reading

Verified by ExactMetrics