148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet
Summary
A campaign involving 148 npm packages, presented as student web proxies, was discovered to have turned visitors' browsers into a distributed denial-of-service (DDoS) botnet for approximately two weeks in May. The malicious packages utilized the npm registry as free hosting for a booby-trapped proxy site, targeting students attempting to circumvent internet restrictions.
IFF Assessment
This campaign leveraged legitimate-looking packages to create a botnet, posing a direct threat to users and potentially impacting network infrastructure through DDoS attacks.
Defender Context
This incident highlights the ongoing risk of malicious packages infiltrating software supply chains, even those disguised as legitimate tools like proxies. Defenders should exercise caution when incorporating third-party libraries, especially from less vetted sources, and implement robust security scanning throughout the development lifecycle.