Report on abuse in npm platform. #1045
-
|
To whom it may concern, We are computer security research teams from Fudan University. Here is our personal homepage and lab homepage https://security.fudan.edu.cn/. In our recent studies, we found a widespread abuse on the npm platform where attackers try to promote their own content including phishing sites, gambling sites, unlicensed online pharmacies, etc. These types of Blackhat SEO abusive packages usually do not directly distribute malicious content (e.g., malicious code), but simply post advertisements that appear to be found in normal websites to direct users to click on unauthorized sites. Currently, there are 943,779 packages that we have determined to be abusive. We believe that such abusive behaviour not only severely impacts the platform ecosystem, but also induces users to spend fraudulently. Here we attach a few abusive packages that are still alive, please contact me at my email address if you need full information about other nearly 1 million abusive packages. Following is the sample abusive package of npm platform: available_down_load_ebo_ok_saint_5rxkd0 - npm (npmjs.com), free-tiktok-coins-wdvxw - npm (npmjs.com), how-to-fix-your-credit-score-for-free-9hmxf4rgu - npm (npmjs.com) Best regards, Team from Fudan University 2023.12.4 |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Can you please submit a ticket with your findings to https://www.npmjs.com/support |
Beta Was this translation helpful? Give feedback.
Can you please submit a ticket with your findings to https://www.npmjs.com/support