head<\/em>pic.jpg” width=”1600″><\/p>\n
Recent analysis has revealed the presence of 60 malicious packages within the NPM index, which are designed to collect sensitive host and network data to transmit it to a Discord webhook controlled by malicious actors.<\/p>\n
The packages were identified by the Threat Research team at Socket, who noted that these malicious uploads began on May 12 from three distinct publisher accounts.<\/p>\n
Each of the identified packages includes a post-install script that executes automatically during the installation process ( The script actively probes for hostnames linked to cloud service providers and attempts to identify reverse DNS strings, ostensibly to discern whether it is operating within a secure analysis environment.<\/p>\n Although the Socket team did not observe the deployment of second-stage payloads or privilege escalation mechanisms, the nature of the information gathered poses a significant risk for targeted network attacks.<\/p>\n Despite reporting the findings, as of the time of writing, these malicious packages remained accessible on the NPM repository with a total download count of approximately 3,000. However, subsequent to the publishing of this article, they have been removed from the repository.<\/p>\n In a bid to deceive developers into utilizing their packages, the threat actors employed package names that closely resemble legitimate ones available in the index, such as \u2018flipper-plugins,\u2019 \u2018react-xterm2,\u2019 and \u2018hermes-inspector-msggen.\u2019 These names were crafted to evoke a sense of trust, with some hinting at testing purposes, which may target Continuous Integration\/Continuous Deployment (CI\/CD) pipelines.<\/p>\n A comprehensive list of the 60 malicious packages is available through Socket\u2019s detailed report.<\/p>\n For any developers who may have inadvertently installed these packages, it is crucial to remove them immediately and conduct a thorough system scan to eliminate any traces of infection.<\/p>\n In a separate malware campaign identified by Socket, eight malicious packages mimicking legitimate tools through typosquatting have been discovered. These packages possess the capability to delete files, corrupt data, and cause system failures.<\/p>\n Targeting ecosystems including React, Vue.js, Vite, Node.js, and Quill, these malicious packages have existed on the NPM platform for the past two years, accumulating around 6,200 downloads.<\/p>\n Their longevity can be attributed to the activation of their malicious payloads based on hardcoded system dates, and they were designed to systematically delete framework files, corrupt core JavaScript methods, and sabotage browser storage systems.<\/p>\n The threat actor responsible for this campaign, operating under the pseudonym \u2018xuxingfeng\u2019, also published several legitimate packages to enhance the credibility of their account and evade detection.<\/p>\n While the immediate threat may have diminished due to the reliance on hardcoded dates, it remains imperative to uninstall these packages. The author could potentially issue updates that re-initiate destructive payloads in the future.<\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":1509,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[632,631,630],"class_list":["post-1508","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-files","tag-packages","tag-scripts"],"acf":[],"yoast_head":"\nnpm install<\/code>). This script is capable of gathering the following information:<\/p>\n\n
Malicious Packages Still Present on NPM<\/h2>\n
Data Wipers on NPM<\/h2>\n
\n![\"Script](\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/identification-of-numerous-malicious-packages-on-npm-engaging-in-host-and-network-data-collection.jpg\")
Source: Socket<\/em><\/figcaption><\/figure>\n<\/div>\n