Masquerading as innocent plugins and utilities, the malicious packages carried damaging payloads meant to deprave knowledge, wipe vital information, and crash programs. Since their add, they’ve picked up over 6200 downloads, escaping detection and slipping into unsuspecting developer environments.
“The menace actor behind this marketing campaign, utilizing the npm alias xuxingfeng with a registration electronic mail 1634389031@qq[.]com, has printed eight packages designed to trigger widespread injury throughout the JavaScript ecosystem,” mentioned Socket researcher Kush Pandya in a weblog submit. “Notably, the identical account has additionally printed a number of reputable, non-malicious packages that perform as marketed.”
Earlier this month, hackers have been discovered abusing npm to focus on multi-language builders with typo-squatted packages containing stealer and RCE codes. Boychenko suggested making use of normal hygiene whereas managing dependencies from npm. He really helpful utilizing dependency-scanning instruments to flag post-install hooks, hardcoded URLs, and unusually small tar archives, along with strengthening the event pipeline with automated safety checks.
