Malicious NPM packages are alerting users, intending to pilfer host and network details.
Malicious NPM Packages Expose Thousands of Systems to Cyber Threats
Cybersecurity firm Socket has discovered a coordinated campaign involving 60 malicious npm packages, targeting software developers and continuous integration environments. These packages, published under three npm accounts, were found to collect sensitive system information and send it to an attacker-controlled Discord webhook.
The compromised packages, which were made available on NPM between May 12 and the time of the report, were designed to resemble legitimate packages. Names such as "flipper-plugins", "react-xterm2", and "hermes-inspector-msggen" suggest that attackers may have intended to target CI/CD pipelines. The malicious code activated during the 'npm install' process via a post-install script, conducting reconnaissance by collecting hostnames, internal and external IP addresses, user home directories, current working directories, usernames, system DNS servers, and network interface card (NIC) information.
The script was designed to evade analysis by performing basic checks for virtualized or cloud environments, such as those related to Amazon and Google. In case a virtualized or cloud environment was detected, the script would abort, avoiding analysis. The data collected was transmitted in real-time to a Discord webhook for monitoring by attackers.
Although Socket did not observe delivery of additional payloads or privilege escalation, the immediate risk here lies in information leakage rather than system takeover. The collected data could be used to link private developer environments to public-facing infrastructure, increasing the risk of credential theft or lateral movement within networks.
Those who have downloaded any of the affected packages are advised to remove them immediately and run a full system scan. Additional precautions include monitoring for suspicious activity in developer and CI/CD environments, as well as implementing supply chain security best practices to detect and prevent such threats in the future.
The complete list of the 60 malicious packages can be found in Socket’s original report. However, the main concern here is the potential for these packages to expose sensitive information and map out internal networks, increasing the risk of follow-on attacks.
[1] https://socketsocket.io/blog/so-many-sockets/[2] https://www.bleepingcomputer.com/news/security/researchers-confirm-typosquatting-attack-targeted-60-npm-packages-download-count-passes-3000/[3] https://www.infosecurity-magazine.com/news/cybersecurity-incident-response/library/62007-npm-supply-chain-attack-uncovered/[4] https://developers.google.com/apps-script/guides/concepts/library-versioning[5] https://docs.npmjs.com/cli/v8/commands/npm-login
Subscribe to our Pro newsletter to stay informed about top news, features, and guidance for businesses
Related articles:
- Blackmail Campaign Targets YouTubers to Promote Malware on Channels
- Discover the Best Authenticator App
- ** exploring the Best Password Managers**
- The malicious npm packages discovered by Socket, which included 'flipper-plugins', 'react-xterm2', and 'hermes-inspector-msggen', were designed to collect sensitive system information, potentially increasing the risk of credential theft or network vulnerabilities.
- In the realm of data-and-cloud-computing, cybersecurity threats are a growing concern, with malicious actors targeting software developers and CI/CD environments, as demonstrated by the 60 malicious npm packages revealed in the NPM supply chain attack.
- The general-news landscape is rife with crime-and-justice implications, as cyber threats exploit technology such as NPM packages to collect data, exposing the risks associated with lax security measures in developers' and continuous integration environments.
