Masquerading as innocent plugins and utilities, the malicious packages carried harmful payloads meant to deprave knowledge, wipe crucial recordsdata, and crash methods. Since their add, they’ve picked up over 6200 downloads, escaping detection and slipping into unsuspecting developer environments.
“The risk actor behind this marketing campaign, utilizing the npm alias xuxingfeng with a registration e mail 1634389031@qq[.]com, has printed eight packages designed to trigger widespread injury throughout the JavaScript ecosystem,” mentioned Socket researcher Kush Pandya in a weblog publish. “Notably, the identical account has additionally printed a number of authentic, non-malicious packages that operate as marketed.”
Earlier this month, hackers have been discovered abusing npm to focus on multi-language builders with typo-squatted packages containing stealer and RCE codes. Boychenko suggested making use of commonplace hygiene whereas managing dependencies from npm. He advisable utilizing dependency-scanning instruments to flag post-install hooks, hardcoded URLs, and unusually small tar archives, along with strengthening the event pipeline with automated security checks.
