Socket’s threat researchers have uncovered a package lurking in npm for six years that awaits a remote command to wipe projects.
The culprit? A package called xlsx-to-json-lh, which mimics the legitimate xlsx-to-json-lc package. Notice the difference? Just one letter separates them, a ‘h’ instead of a ‘c’ – an easy mistake for even careful developers to make when installing packages.
The legitimate package isn’t anything too special, just a useful tool that converts Excel spreadsheets to JSON format. But with nearly 500,000 downloads since 2016, it’s popular enough to make an attractive target for cybercriminals looking for wide distribution of their malware.
This npm package is a wolf in sheep’s clothing
What’s impressive, in the worst possible way, is the attention to detail shown by whoever created this threat. They didn’t just copy the name; they preserved all the original author’s metadata while sneaking in their own maintainer credentials. The package even functions for its stated purpose.
Socket’s AI Scanner has now flagged the package as “known malware,” but that comes after years of potential damage. The package remained active during the research period, though Socket has formally requested its removal from the npm registry.
There are some clues about who might be behind this attack. The maintainer email uses a French domain (yahoo.fr), and the trigger command embedded in the code is “remise à zéro” – French for “reset to zero.” Either we’re dealing with a French-speaking threat actor, or someone leaving false breadcrumbs.
Other packages from the same maintainer (using the alias “leonhard”) appear completely legitimate. This suggests the attack was targeted rather than a broad malware campaign.
A patient predator
Unlike obvious infections that immediately breaks things, gets to work siphoning data, or many of the other nefarious uses for malware, this package works perfectly while silently establishing a persistent connection to a command and control server hosted on Heroku.
The malware activates the moment a developer imports the npm package. It establishes a WebSocket connection to a remote server, with automatic reconnection enabled to ensure it maintains contact with its controllers. Then it simply waits, potentially for years, for the specific French command phrase that triggers destruction.
When that command finally comes, the consequences are devastating. The code calculates your project’s root directory and methodically deletes everything: source files, git history, configs, dependencies, the lot. It even tidies up after itself by removing all evidence. Without external backups, recovery becomes virtually impossible.
With how developers often work, maintain multiple projects simultaneously, one developer might unknowingly install this npm package across several codebases. In a company with 20 developers, each working on two or three projects containing this hidden threat, a single command could wipe out 40-60 separate codebases in an instant. Years of work, gone.
This is the digital equivalent of a demolition crew placing charges throughout an entire office complex and waiting for the signal. When it blows, everything goes at once.
This form of attack, typosquatting, has become increasingly popular for threat actors. Attackers will likely use AI to amplify their attacks and generate convincing typosquats that account for common typing errors or keyboard layouts.
So what can you do to stay safe? The most important thing is triple-verifying what you’re installing. Meticulously check package names, look at download counts, check author histories, and use security tools that can scan dependencies before they enter your project.
(Photo by Hayley Murray)
See also: 60 malicious npm packages caught mapping developer networks
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
