NuGet, PyPi, and npm ecosystems are the target of a new campaign that has resulted in over 144,000 packages being published by unknown threat actors.
“The packages were part of a new attack vector, with attackers spamming the open-source ecosystem with packages containing links to phishing campaigns,” researchers from Checkmarx and Illustria said in a report published Wednesday.
Of the 144,294 phishing-related packages that were detected, 136,258 were published on NuGet, 7,824 on PyPi, and 212 on npm. The offending libraries have since been unlisted or taken down.