[Challenge Submission] <Malicious Code Packages> #8
Description
📌 Challenge Overview
Challenge Title:
(e.g., Malicious Code Packages)
Difficulty Level:
- Beginner
- Intermediate
- Advanced
Description / Scenario:
Attackers hide as helpful and friendly open-source contributors and hijacking software packages that rely on open-source contributions.
Learning Objective:
Verify packages in code development, including updates to existing ones.
Phishing Technique Used:
Attackers try to poison published packages via publishing packages with a similar name that potentially confuses users. Normally if the package itself was searched the users could discern the real vs fake ones easier but more sophisticated methods involved attackers posing as genuine open-source contributors and burying the malicious package swap in a mountain of other actually genuine contributions. A sophisticated and recent attack targeting a vs code extension via a pull request that was merged is detailed here:
https://www.reversinglabs.com/blog/malicious-pull-request-infects-vscode-extension
Another similar one that targets IDE extensions is here:
https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-crypto-heist/116908/
📸 Screenshots / Demo
🪙 Reward Wallet Address (USDT - ERC20 Polygon/Arbitrum)
ktehrani.eth
✅ By submitting this challenge, I agree to open-source it under the project's license and allow the Unphishable team to modify or improve it for consistency.