The npm registry is once again in the spotlight, this time battling a malware campaign using malicious packages to map developer networks.
Expert threat intelligence analysts over at Socket have flagged a coordinated attack involving at least three publisher accounts. These aren’t your run-of-the-mill malicious efforts; these actors have managed to distribute 60 different packages, all embedding the exact same host-fingerprinting code.
This isn’t about immediate chaos. Instead, it’s a far more insidious game of intelligence-gathering.
The campaign – which has already seen these dubious packages downloaded more than 3,000 times by unsuspecting developers – is designed to map internal developer environments. Why? To link them up with their public-facing infrastructure and create a treasure map for future, more targeted cyberattacks.
Kirill Boychenko, a threat intelligence analyst at Socket, has sounded a clear warning about these latest malicious npm packages. The primary aim here isn’t to break things straight away, but to quietly gather intel.
“The script performs reconnaissance with the sole purpose of fingerprinting each machine that builds or installs the package,” Socket’s analysis highlights. “By collecting both internal and external network identifiers, it links private developer environments to their public‑facing infrastructure — ideal for follow‑on targeting.”
Think about what this means for Continuous Integration (CI) servers, the automated workhorses of modern development.
“On continuous‑integration servers, the leak can reveal internal package registry URLs and build paths, intelligence that speeds up subsequent supply chain attacks,” the report notes. So, while the current payload might be “limited to reconnaissance, it creates a strategic risk by laying the foundation for deeper intrusions.”
Three npm accounts – bbbb335656, sdsds656565, and cdsfdfafd1232436437 – each pushed out twenty of these malicious packages. And they did it fast, all within a tight eleven-day window. The email addresses used for registration: npm9960+1@gmail[.]com, npm9960+2@gmail[.]com, and npm9960+3@gmail[.]com screams “single actor” or, at the very least, a very closely coordinated group.
Each of the 60 packages sends the data it collects to the exact same Discord webhook. For example, Socket points out that “seatable (from bbbb335656), datamart (from sdsds656565), and seamless-sppmy (from cdsfdfafd1232436437) embed the identical malicious payload.”
Using Discord for exfiltration is a common trick; it’s easy for attackers to set up and manage. The harmful code itself usually gets run thanks to post-install scripts – a handy npm feature for legitimate setups, but a gaping door for attackers if we’re not careful.
No slowing down of malicious npm packages
The bad news? Socket believes the campaign remains active. This isn’t over. “Unless the npm registry removes the malicious packages and suspends the related accounts, more releases are likely.”
And it’s frighteningly simple for the culprits: “The threat actor can easily clone the script, track download telemetry in real time, and publish again.” The fact that these packages managed “More than 3,000 installs without removal” is a stark illustration that “quiet reconnaissance is an effective foothold technique on npm and one that others may emulate.”
Looking down the road, security folks should expect no slowing down of malicious npm packages. As Boychenko’s team predicts, “Because the registry offers no guardrails for post‑install hooks, expect new throwaway accounts, fresh packages, alternative exfiltration endpoints, and perhaps larger payloads once a target list is complete.”
The message for defenders is to “assume the threat actor will continue publishing, refine evasion checks, and pivot to follow‑on intrusions that exploit the mapping already collected.”
So, what’s the game plan for developers and organisations? It’s time to double down on defence. “Defenders should adopt dependency‑scanning tools that surface post‑install hooks, hardcoded URLs, and unusually small tarballs,” Socket advises. Beefing up the development pipeline with automated checks is also crucial.
We need robust security practices baked into every step of the software development lifecycle. That means using comprehensive scanning tools and maintaining a healthy dose of scepticism about unfamiliar or lightly-vetted npm packages that could be malicious. Securing the software supply chain is a continuous effort, and staying one step ahead is really the name of the game.
(Photo by Israel Pereira)
See also: Chainguard rebuilds Python libraries to slam the door on malware
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
