An extremely primitive supply-chain attack is being carried out for profit by a “researcher” on Node Package Manager (npm) in three languages. After finding a public reference to a package name, a squat is attempted:
During the second half of 2020… we were able to automatically scan millions of domains belonging to the targeted companies and extract hundreds of additional javascript package names which had not yet been claimed on the npm registry. I then uploaded my code to package hosting services under all the found names and waited for callbacks.
They rate success in terms of the easy money paid to them by targets offering a “bounty”, as well as quantity for potential squats:
…logging the username, hostname, and current path of each unique installation. Along with the external IPs… [squatted] more than 35 organizations to date, across all three tested programming languages. The vast majority of the affected companies fall into the 1000+ employees category, which most likely reflects the higher prevalence of internal library usage within larger organizations. Due to javascript dependency names being easier to find, almost 75% of all the logged callbacks came from npm packages…
They repeatedly pat themselves on the back for getting money out of people for this and they exhibit a lot of “social entry” interest in their “shout-out” section, which thanks “bounty programs, making it possible for us to spend time chasing ideas”…