In May, a set of 148 npm packages masquerading as student web proxies were utilized to transform browsers into a distributed denial-of-service (DDoS) botnet, according to a recent study by JFrog. This campaign exploited the npm registry to host compromised proxy sites, leveraging students who bypassed school web filters to generate attack traffic.
Exploitation of Npm Packages
These malicious packages, branded with names such as charlie-kirk and ilovefemboys, included a proxy app called ‘Lucide.’ Outwardly, they functioned as web proxies to help students access blocked content. However, in the background, a remote code loader and a WebSocket flood generator targeting the Wisp protocol were activated, turning unsuspecting browsers into a botnet.
Unlike typical threats that activate upon installation, these packages did not contain lifecycle hooks or native build scripts, and remained dormant until a page was opened in a browser. This approach bypassed traditional build pipelines, posing a unique challenge to developers and network administrators.
Technical Insights and Impact
The operation was initially misclassified as adware and registry abuse by SafeDep in May, but JFrog’s deeper analysis revealed a more sophisticated campaign. They unraveled a complex script, over 20,600 lines long, from a singular JavaScript line. This script executed a two-pronged DDoS attack, utilizing both an HTTP flood and a WebSocket-based method targeting the Wisp protocol.
The HTTP flood generated excessive traffic directed at a legitimate domain, while the WebSocket attack established numerous connections to a server, overwhelming it with requests. These actions exploited the wisp-server-node’s vulnerabilities, causing resource exhaustion and server instability.
Response and Future Implications
In response to this threat, many of the compromised packages were removed from npm, replaced with security placeholders. JFrog advises network administrators to block the associated domains and clear any residual browser caches. The potential for reactivation remains, as the malicious code can be re-enabled with minimal effort.
This incident highlights the ongoing risks associated with public code repositories being used as free content delivery networks. It underscores the need for enhanced security measures and vigilance within the software development community to prevent similar exploits in the future.
As the situation develops, The Hacker News is in contact with JFrog to gather further insights into the botnet’s scale and the specifics of the WebSocket attack.
