Ddos 
The Socket Threat Research Team has uncovered a coordinated surveillance malware campaign hidden in four open-source packages—three hosted on npm and one on PyPI—with over 56,000 downloads combined. These packages masquerade as developer utilities but are, in reality, sophisticated spyware designed to silently monitor users, steal credentials, capture webcam and screen activity, and persist across reboots.
“Once installed, these malicious packages covertly integrate surveillance functionality into the developer’s environment, enabling keylogging, screen capture, fingerprinting, webcam access, and credential theft,” Socket warns.
vfunctions (PyPI): Webcam Surveillance, Email Exfiltration, and Self-Replication
Marketed as a Python utility, vfunctions is anything but benign. It quietly activates the victim’s webcam, captures images, and sends them via Gmail SMTP to an attacker-controlled inbox:
“The malware exfiltrates captured webcam images via Gmail SMTP, using hardcoded or threat actor-provided credentials to send the files to a controlled email address,” the report states.
Even more troubling is its ability to infect other Python files in the working directory:
For persistence, the package copies itself to the Windows startup folder, guaranteeing it runs on reboot.
dpsdatahub (npm): Covert Keylogger Disguised as a Data Utility
The npm package dpsdatahub installs a hidden browser-based keylogger using invisible iframes and browser event listeners. It collects keystrokes and session data, then exfiltrates everything to a C2 endpoint hosted on AWS Lambda:
“The malware sends the logged keystrokes and session metadata to a threat actor-controlled AWS Lambda endpoint every 5 seconds.”
It also fingerprints the victim’s system—gathering GPU, media device, and browser data—making it a dual-purpose surveillance and profiling tool.
nodejs-backpack (npm): Screenshot and System Profiling with Slack Exfiltration
nodejs-backpack lures developers by offering a CLI for generating schemas and APIs, but behind the scenes, it collects screenshots and extensive system metadata. It sends this information to a Slack channel using a fragmented webhook URL:
“The package compiles the data into a Slack-formatted payload and sends it to the constructed webhook.”
Its obfuscation techniques and dual-purpose functionality help it avoid detection and prolong its presence in development environments.
m0m0x01d (npm): Real-Time Keylogger with Burp Collaborator C2
Perhaps the most stealthy of all, m0m0x01d uses iframe injection to monitor login fields and relay keystrokes through Burp Collaborator, a tool typically used in ethical hacking:
“The threat actor exfiltrates captured keystrokes to a dynamically generated subdomain on Burp Collaborator… blending malicious traffic with security testing activity.”
It uses a two-stage relay system, making the origin and destination of stolen data harder to trace and block.
What makes these packages particularly dangerous is their integration with legitimate tools and platforms: Gmail, AWS, Slack, Burp Collaborator—services trusted by millions of users. Socket warns that this marks a broader shift in adversary tactics:
“Surveillance-focused malware in the supply chain is likely to become more modular, better disguised, and more persistent.”
These threats not only target developers but compromise entire CI/CD pipelines and enterprise systems through infected dependencies.
Donate