Analysis
A short denial-of-service (DoS) assault that interrupted NPM and caused users to receive the "Service Unavailable" error message was recently launched against the Node.js npm open source package repository by hackers. Open source repositories are frequently listed highly in search engine results, therefore this kind of assault takes use of it. This was exploited by the attackers, who built phoney websites and uploaded empty npm modules with links to them in the README.md files. As a consequence, there are now 1.42 million package versions accessible on npm, up from 800,000 previously.
Although there have been other phishing efforts of a similar kind in the past, this most recent attack was especially sophisticated and widespread.
Prevention
- Start the usage of flood-protection in your project by running `npm i flood-protection`.
- Setting up Rate – limiting.
- Disconnect a user or connection when a too much request appears.
Detection
Create rules based on Dos and Ddos attacks in the SIEM (Security incident event management) tool for detection of activity.
Indicators of Compromise (IOCs)
- Abnormal Network Traffic.
- Anomalous DNS Requests.
- DDoS Attacks.
- Unusual Login Activity.
- Abnormal Privileged Account Activity.
- Spikes in Database Read Volume.
- Repeated Requests for Same File.
- User-Application Mismatch.
References
the hacker news
copado
