← All stories
● Covered by 1 source Β· 1 reportHigh impact

148 npm Packages Created DDoS Botnet Using Student Proxy Disguise

Aggregated by BrevFeed security Β· updated 1h ago
πŸ”– Save

A research report details how 148 npm packages disguised as student proxies turned browsers into a DDoS botnet for two weeks in May. This operation exploited students' need to bypass web filters, transforming their devices into attack traffic sources that operated without users' knowledge.

Key points

Overview of the Attack

A recent investigation by JFrog uncovered a malicious campaign involving 148 npm packages disguised as helpful student web proxies. The operation ran for approximately two weeks in May, effectively turning users' browsers into a distributed denial-of-service (DDoS) botnet.

The packages were cleverly named, including titles like charlie-kirk and ilovefemboys, and presented themselves as services like Riverbend Tutoring to lure students needing to bypass content filters.

Mechanics of the Malicious Packages

These packages functioned by loading a remote code loader disguised within a seemingly benign proxy application. When a user accessed one of these proxy sites, it initiated a WebSocket flood generator designed to execute DDoS attacks.

Importantly, the malicious code did not activate upon installation, as the packages lacked lifecycle hooks and native build scripts, ensuring they were not detected by conventional installation checks.

Comparisons with Past Vulnerabilities

Unlike previous attacks that directly targeted developers, this campaign targeted end-users who unknowingly contributed to the botnet activities. Such differences highlight a growing trend in malicious software distribution where developers are bypassed altogether, shifting the attack vector towards non-technical users.

Previous incidents involved self-replicating worms and malicious payloads embedded within high-traffic packages, directly affecting the developer community. The new approach presents a challenge as it focuses on exploitation through user engagement rather than developer vulnerabilities.

Analysis and Findings

JFrog's analysis revealed the complexity of the underlying code, which included a 5.4 MB JavaScript bundle that unpacked into over 20,600 lines of codeβ€”far from simple adware as initially suggested by SafeDep. This undermines the typical perception of npm package vulnerabilities, illustrating a sophisticated method of harnessing user behavior for malicious outcomes.

The operation underscores the necessity for stricter scrutiny of package integrity and user education on the risks of seemingly harmless software aids.

Conclusion and Industry Implications

The incident raises significant concerns regarding the security of package registries like npm. With such exploitative tactics on the rise, it emphasizes the critical need for enhanced monitoring and security measures to protect end-users and maintain trust within the software development community.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Primary sources

GitHub MercuryWorkshop/wisp-protocol GitHub MercuryWorkshop/wisp-server-node

Reporting from

A research report details how 148 npm packages disguised as student proxies turned browsers into a DDoS botnet for two weeks in May. This operation exploited students' need to bypass web filters, transforming their devices into attack traffic sources that operated without users' knowledge.