{"id":3337,"date":"2025-05-27T11:51:51","date_gmt":"2025-05-27T11:51:51","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3337"},"modified":"2025-05-27T11:51:51","modified_gmt":"2025-05-27T11:51:51","slug":"hackers-drop-60-npm-bombs-in-less-than-two-weeks-to-recon-dev-machines","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3337","title":{"rendered":"Hackers drop 60 npm bombs in less than two weeks to recon dev machines"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Threat actors have likely made off with sensitive host and network information from developers\u2019 systems in a coordinated malware campaign, involving 60 malicious npm packages, that were live for just under two weeks.<\/p>\n

According to a Socket discovery, these packages were distributed via three different npm accounts to execute stealthy post-install scripts during the \u201cnpm install\u201d operations.<\/p>\n

\u201cThe script targets Windows, macOS, or Linux systems, and includes basic sandbox\u2011evasion checks, making every infected workstation or continuous\u2011integration node a potential source of valuable reconnaissance,\u201d Socket researcher Kirill Boychenko said in a blog post.<\/p>\n

The scripts collected hostnames, internal and external IP addresses, DNS configurations, and user directory paths, transmitting this information to a Discord webhook controlled by the threat actor.<\/p>\n

Malicious code suggests a focus on reconnaissance\u00a0<\/h2>\n

The payload code snippet shared by Socket in the blog reveals a sharp focus on reconnaissance over immediate damage. At the very core, the script is aimed at fingerprinting every system that installs the infected package.<\/p>\n

\u201cBy harvesting internal and external IP addresses, DNS servers, usernames, and project paths, it enables a threat actor to chart the network and identify high\u2011value targets for future campaigns,\u201d Boychenko added<\/a>.<\/p>\n

The payload script, which appears identical across all 60 malicious packages, suggesting a coordinated campaign, employed lightweight sandbox evasion tactics to avoid detection. These included checking for virtualization indicators like \u201csystemd-detect-virt\u201d and known usernames like \u201csandbox.\u201d\u00a0<\/p>\n

Boychenko cautioned that on continuous-integration (CI) servers, the leak could expose details such as private registry URLs and internal build paths, potentially accelerating a supply chain attack<\/a>.<\/p>\n

Socket said they had petitioned for the removal of all the packages from npm.<\/p>\n

<\/a>The accounts are now defunct<\/h2>\n

The first three malicious packages, \u201ce-learning-garena,\u201d \u201cseatalk-rn-leave-calendar,\u201d and \u201ccoral-web-be,\u201d were released under the npm accounts bbbb335656, cdsfdfafd1232436437, and sdsds656565, respectively. Since then, all three accounts have gone on to publish twenty malicious packages each.<\/p>\n

According to Socket, the first package emerged eleven days ago, and the most recent appeared only hours before the disclosure publication, confirming the operation was still underway at the time.<\/p>\n

However, an npm search at the time of writing this article revealed that the accounts may have been taken off npm. None of the packages flagged in the Socket research could be traced with the search either.<\/p>\n

While they were live on npm, the combined downloads were reported to have exceeded 3000, which Socket said would have given threat actors a \u201cgrowing map of developer and enterprise networks\u201d for future intrusions.<\/p>\n

<\/a>Multiple npm abuses discovered within days<\/h2>\n

npm, the go-to package for JavaScript, has turned into an attacker\u2019s favorite for its unmatched reach into developer workflows and the ability to become a strong vector for large-scale supply chain attacks.<\/p>\n

Earlier this week, Socket also discovered a collection of malicious npm packages, undetected within npm for over two years, that deploy attacks against widely-used JavaScript frameworks including React, Vue.js, Vite, Node.js, and the open-source Quill Editor.<\/p>\n

Masquerading as harmless plugins and utilities, the malicious packages carried destructive payloads meant to corrupt data, wipe critical files, and crash systems. Since their upload, they\u2019ve picked up over 6200 downloads, escaping detection and slipping into unsuspecting developer environments.<\/p>\n

\u201cThe threat actor behind this campaign, using the npm alias xuxingfeng<\/a> with a registration email 1634389031@qq[.]com, has published eight packages designed to cause widespread damage across the JavaScript ecosystem,\u201d said Socket researcher Kush Pandya in a blog post<\/a>. \u201cNotably, the same account has also published several legitimate, non-malicious packages that function as advertised.\u201d<\/p>\n

Earlier this month, hackers were found abusing npm<\/a> to target multi-language developers with typo-squatted packages containing stealer and RCE codes. Boychenko advised applying standard hygiene while managing dependencies from npm. He recommended using dependency-scanning tools to flag post-install hooks, hardcoded URLs, and unusually small tar archives, in addition to strengthening the development pipeline with automated security checks.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Threat actors have likely made off with sensitive host and network information from developers\u2019 systems in a coordinated malware campaign, involving 60 malicious npm packages, that were live for just under two weeks. According to a Socket discovery, these packages were distributed via three different npm accounts to execute stealthy post-install scripts during the \u201cnpm […]<\/p>\n","protected":false},"author":0,"featured_media":3332,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3337","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3337"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3337"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3337\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3332"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3337"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3337"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3337"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}