Malicious NPM packages are stealing data and damaging systems

Developers should pay extra attention while installing an NPM package

News

Reading time icon 3 min. read

Calendar icon Published on

by Srishti Sisodia 

published on

Share this article

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

60 harmful packages on NPM

Security experts at Socket’s Threat Research team have discovered an active campaign in the NPM ecosystem. 60 harmful packages were uploaded to the NPM repository after May 12, 2025, under three fake NPM accounts: bbbb335656sdsds656565, and cdsfdfafd1232436437.

Each was published with 20 identical malicious packages named similar to popular tools, like flipper-plugins, react-xterm2, hermes-inspector-msggen, with minor name changes to avoid being flagged.

What’s happening?

Each package in the account contains a small post-install script that triggers as soon as you run npm install and collect sensitive information, including:

  • Hostname and internal IP address
  • DNS server configurations
  • Project directory paths
  • External IP address
  • The user’s home directory and username

Once collected, it is sent to a Discord webhook, giving the attackers insights into real environments. The campaign has reached 3000 downloads so far and is still active.

How does it work?

The script is designed to target Windows, macOS, and Linux, and uses sandbox evasion techniques to prevent detection in testing environments like AWS/GCP or malware labs. Also, if it detects that it is in a security lab or VM, it stops running. It mainly concerns two areas:

  • Network mapping: Links internal environments to public IPs, which helps attackers plan follow-up attacks.
  • CI/CD Exposure: When used in automation pipelines, internal URLs and build paths can be exposed, raising the risk of supply chain attacks.

What should developers do?

To ensure you are not affected by this, make sure you

  • Check the dependencies, especially the ones added in the last two weeks.
  • Scan your system to look for malware threats.
  • Uninstall suspicious packages.
  • Use security tools like the Socket GitHub app or CLI to check for post-install scripts and other red flags in NPM packages.
  • Keep an eye out for anything suspicious.

Another threat in NPM: Data wipers

Socket also found 8 other malicious packages designed to delete files and corrupt data, especially in projects using React, Vue.js, and Node.js. This campaign was run by Xuxingfeng, who listed several legit packages to build trust and avoid detection.

These packages were active for almost two years and used system date checks to trigger attacks. Even though the danger has passed, you are advised to remove the packages as the xuxingfeng can release updates and re-trigger the wiping functions in the future.

These attacks indicate that the threat actors could be just laying the groundwork for future attacks and planning for more severe intrusions. To avoid this, developers must always be cautious while installing lesser-known packages. What do you think? If so, share your thoughts in the comments section below.

More about the topics: malware removal

Srishti Sisodia

Srishti Sisodia Shield

News Editor

Srishti Sisodia is an electronics engineer and writer with a passion for technology. She has extensive experience exploring the latest technological advancements and sharing her insights through informative blogs. Her diverse interests bring a unique perspective to her work, and she approaches everything with commitment, enthusiasm, and a willingness to learn. That's why she's part of Windows Report's Reviewers team, always willing to share the real-life experience with any software or hardware product. She's also specialized in Azure, cloud computing, and AI.

User forum

0 messages