Open source code repositories PyPI, NuGet and npm have been polluted with a flood of junk packages relating to popular online games like Roblox and Fortnite, recent analysis shows.
As explained in a report from cybersecurity firm Sonatype, the junk packages do not contain malicious code. Instead, their associated README files direct visitors towards spam domains that claim to offer free in-game currency and custom skins.
These fraudulent domains are set up to harvest the personal information and account credentials of anyone who interacts with them.
Large-scale spam campaigns
As Sonatype notes, it is not uncommon for open source repositories to be abused as part of spam campaigns, because the low barrier to entry for submission creates the ideal conditions for cybercriminals.
However, the specific objective of these campaigns is less clear. The best guess among security researchers so far is that the spam packages are designed to boost the SEO performance of the malicious domains.
“One theory is, these spam campaigns are a ploy to improve the SEO for their spammy domains,” explained Ax Sharma, Security Researcher at Sonatype, in an email exchange with TechRadar Pro. “When someone searches for ‘free Roblox Robux’, the open source repository’s reputation and search index ranking lends credence to the attacker’s links, which may now shine through the search results.”
Although all affected repositories told Sonatype they have mechanisms in place to prevent these outlinks conferring an SEO advantage, their presence on the platforms may nonetheless improve their search engine rankings to some extent.
Sharma suggests the latest campaigns are particularly noteworthy for their focus on video games, especially those frequented by younger players. In addition to Fortnite and Roblox spam, Sonatype has recently identified multiple campaigns targeting users of Discord, a messaging platform popular among gamers.
One possibility is that cybercriminals have settled on younger gamers as an easy mark, because they are equipped with neither the skills to identify online scams nor the funds to pay for in-game microtransactions via legitimate routes.