As many as 60 malicious npm packages have been discovered in the package registry with malicious functionality to harvest hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint.
The packages, published under three different accounts, come with an install‑time script that's triggered during npm install, Socket security researcher Kirill Boychenko said in a report published last week. The libraries have been collectively downloaded over 3,000 times.
"The script targets Windows, macOS, or Linux systems, and includes basic sandbox‑evasion checks, making every infected workstation or continuous‑integration node a potential source of valuable reconnaissance," the software supply chain security firm said.
The names of the three accounts, each of which published 20 packages within an 11-day time period, are listed below. The accounts no longer exist on npm -
- bbbb335656
- cdsfdfafd1232436437, and
- sdsds656565
The malicious code, per Socket, is explicitly designed to fingerprint every machine that installs the package, while also aborting the execution if it detects that it's running in a virtualized environment associated with Amazon, Google, and others.
The harvested information, which includes host details, system DNS servers, network interface card (NIC) information, and internal and external IP addresses, is then transmitted to a Discord webhook.
"By harvesting internal and external IP addresses, DNS servers, usernames, and project paths, it enables a threat actor to chart the network and identify high‑value targets for future campaigns," Boychenko said.
The disclosure follows another set of eight npm packages that masquerade as helper libraries for widely-used JavaScript frameworks including React, Vue.js, Vite, Node.js, and the open-source Quill Editor, but deploy destructive payloads once installed. They have been downloaded more than 6,200 times and are still available for download from the repository -
- vite-plugin-vue-extend
- quill-image-downloader
- js-hood
- js-bomb
- vue-plugin-bomb
- vite-plugin-bomb
- vite-plugin-bomb-extend, and
- vite-plugin-react-extend
"Masquerading as legitimate plugins and utilities while secretly containing destructive payloads designed to corrupt data, delete critical files, and crash systems, these packages remained undetected," Socket security researcher Kush Pandya said.
Some of the identified packages have been found to execute automatically once developers invoke them in their projects, enabling recursive deletion of files related to Vue.js, React, and Vite. Others are designed to either corrupt fundamental JavaScript methods or tamper with browser storage mechanisms like localStorage, sessionStorage, and cookies.
Another package of note is js-bomb, which goes beyond deleting Vue.js framework files by also initiating a system shutdown based on the current time of the execution.
The activity has been traced to a threat actor named xuxingfeng, who has also published five legitimate, non-malicious packages that work as intended. Some of the rogue packages were published in 2023. "This dual approach of releasing both harmful and helpful packages creates a facade of legitimacy that makes malicious packages more likely to be trusted and installed," Pandya said.
The findings also follow the discovery of a novel attack campaign that combines traditional email phishing with JavaScript code that's part of a malicious npm package disguised as a benign open-source library.
"Once communication was established, the package loaded and delivered a second-stage script that customized phishing links using the victim's email address, leading them to a fake Office 365 login page designed to steal their credentials," Fortra researcher Israel Cerda said.
The starting point of the attack is a phishing email containing a malicious .HTM file, which includes encrypted JavaScript code hosted on jsDelivr and associated with a now-removed npm package named citiycar8. Once installed, the JavaScript payload embedded within the package is used to initiate a URL redirection chain that eventually leads the user to a bogus landing page designed to capture their credentials.
"This phishing attack demonstrates a high level of sophistication, with threat actors linking technologies such as AES encryption, npm packages delivered through a CDN, and multiple redirections to mask their malicious intentions," Cerda said.
"The attack not only illustrates the creative ways that attackers attempt to evade detection but also highlights the importance of vigilance in the ever-evolving landscape of cybersecurity threats."
The abuse of open-source repositories for malware distribution has become a tried-and-tested approach for conducting supply chain attacks at scale. In recent weeks, malicious data-stealing extensions have also been uncovered in Microsoft's Visual Studio Code (VS Code) Marketplace that are engineered to siphon cryptocurrency wallet credentials by targeting Solidity developers on Windows.
The activity has been attributed by Datadog Security Research to a threat actor it tracks as MUT-9332. The names of the extensions are as follows -
- solaibot
- among-eth, and
- blankebesxstnion
"The extensions disguise themselves as legitimate, concealing harmful code within genuine features, and use command and control domains that appear relevant to Solidity and that would not typically be flagged as malicious," Datadog researchers said.
"All three extensions employ complex infection chains that involve multiple stages of obfuscated malware, including one that uses a payload hidden inside an image file hosted on the Internet Archive."
Specifically, the extensions were advertised as offering syntax scanning and vulnerability detection for Solidity developers. While they offer genuine functionality, the extensions are also designed to deliver malicious payloads that steal cryptocurrency wallet credentials from victim Windows systems. The three extensions have since been taken down.
The end goal of the VS Code extension is to slip a malicious Chromium-based browser extension that's capable of plundering Ethereum wallets and leaking them to a command-and-control (C2) endpoint.
It's also equipped to install a separate executable that disables Windows Defender scanning, scans application data directories for Discord, Chromium-based browsers, cryptocurrency wallets, and Electron applications, and retrieves and executes an additional payload from a remote server.
MUT-9332 is also assessed to be behind a recently disclosed campaign that involved the use of 10 malicious VS Code extensions to install an XMRig cryptominer by passing off as coding or artificial intelligence (AI) tools.
"This campaign demonstrates the surprising and creative lengths to which MUT-9332 is willing to go when it comes to concealing their malicious intentions," Datadog said. "These payload updates suggest that this campaign will likely continue, and the detection and removal of this first batch of malicious VS Code extensions may prompt MUT-9332 to change tactics in subsequent ones."
