Full Report
A campaign of 148 npm packages disguised as student web proxies turned visitors' browsers into a distributed denial-of-service botnet for roughly two weeks in May, according to new research from JFrog. The packages did not go after the developers who might install them. The operators used the registry as free hosting for a booby-trapped proxy site and let the students who came to dodge
Analysis Summary
# Incident Report: "Student Proxy" npm Distributed Denial-of-Service Botnet
## Executive Summary
A malicious campaign involving 148 npm packages masquerading as web proxies infected unsuspecting users to create a distributed denial-of-service (DDoS) botnet. Rather than targeting developers, the threat actors used the npm registry to host booby-trapped proxy sites that turned visitors' browsers into attack nodes. The campaign remained active for approximately two weeks in May 2024 before being identified and mitigated.
## Incident Details
- **Discovery Date:** Late May 2024
- **Incident Date:** Mid-May to late May 2024
- **Affected Organization:** npm Registry (hosting platform), various targeted websites (DDoS victims)
- **Sector:** Technology / Software Supply Chain
- **Geography:** Global (targeting students/users seeking to bypass web filters)
## Timeline of Events
### Initial Access
- **Date/Time:** May 2024
- **Vector:** Dependency Confusion / Typosquatting and Social Engineering
- **Details:** Attackers uploaded 148 packages to the npm registry. These packages contained functional web proxy code designed to appeal to students looking to bypass school internet filters.
### Lateral Movement
- **Mechanism:** Not applicable (The attack targeted end-user browsers via the npm-hosted site rather than moving through an internal network).
### Data Exfiltration/Impact
- **Details:** No data was exfiltrated. The impact was the unauthorized use of client-side resources (CPU and bandwidth) to launch DDoS attacks against third-party targets.
### Detection & Response
- **How it was discovered:** Security research conducted by JFrog identified the anomalous package behavior and high volume of related uploads.
- **Response actions taken:** The malicious packages were reported to the npm security team and subsequently removed from the registry.
## Attack Methodology
- **Initial Access:** Supply Chain Poisoning; exploiting the npm registry as a free hosting service for malicious frontend applications.
- **Persistence:** Browser-based session persistence; the attack remained active as long as the user kept the proxy tab open.
- **Privilege Escalation:** N/A.
- **Defense Evasion:** Used legitimate-looking proxy functionality to mask the underlying malicious DDoS script.
- **Credential Access:** N/A.
- **Discovery:** N/A.
- **Lateral Movement:** N/A.
- **Collection:** N/A.
- **Exfiltration:** N/A.
- **Impact:** Distributed Denial-of-Service (DDoS). The malicious scripts executed in the background of the user's browser, sending repeated requests to target servers.
## Impact Assessment
- **Financial:** Unknown; potential costs incurred by targets of the DDoS attacks for mitigation.
- **Data Breach:** None reported.
- **Operational:** Significant abuse of npm registry infrastructure; potential slowdown of user devices.
- **Reputational:** Minimal for npm, though it highlights ongoing vulnerabilities in public package registries.
## Indicators of Compromise
- **Network indicators:**
- High-frequency requests to targeted URLs originating from student/proxy user IPs.
- Connections to `hxxps[://]registry[.]npmjs[.]org/` for fetching malicious proxy assets.
- **File indicators:** 148 npm package names (frequently imitating "proxy," "unblocker," or "student-unblock").
- **Behavioral indicators:** Browser spikes in CPU/network usage when accessing unauthorized proxy sites.
## Response Actions
- **Containment:** Removal of the 148 packages from the npm registry by GitHub/npm.
- **Eradication:** Automated cleanup of the registry to prevent further downloads.
- **Recovery:** Public disclosure by JFrog to inform the security community and target organizations.
## Lessons Learned
- **Key takeaways:** Threat actors are increasingly using package registries not just to infect developers, but as "bulletproof" hosting for malicious web applications.
- **What could have been done better:** Enhanced automated scanning of npm packages for client-side scripts that perform repetitive external requests (DDoS signatures).
## Recommendations
- **Registry Monitoring:** Implement stricter "reams" or reputation scoring for new publishers uploading a high volume of similar packages in a short window.
- **Educational Awareness:** Advise students and educational institutions on the risks of using "free" web proxies found in public repositories.
- **Content Security Policy (CSP):** Target organizations should maintain robust DDoS protections to mitigate traffic from unconventional botnets (like those residing in browser memory).