Ddos 
In a disturbing development for the JavaScript community, Socketβs Threat Research Team has uncovered a stealthy and destructive supply chain attack campaign in the npm ecosystem. Malicious packages masquerading as legitimate tools have been actively targeting widely used frameworks such as React, Vue.js, Vite, and the Quill Editor, embedding code designed to corrupt data, destroy files, and even shut down systems.
βThese malicious packages have remained undetected in the npm ecosystem for over more than two years, accumulating over 6,200 downloads,β Socket researchers report.
The threat actor, operating under the npm alias xuxingfeng and using the email address 1634389031@qq[.]com, published eight destructive packages while simultaneously maintaining a portfolio of legitimate ones. This blend of good and bad packages creates a deceptive trust profile β a classic case of dual-use publishing.
βThis mixed publishing approach helps mask malicious intent by establishing credibility and trust within the ecosystem.β
The malicious packages use typosquatting and name mimicry to lure developers. Examples include:
- vite-plugin-react-extend (vs. @vitejs/plugin-react)
- vite-plugin-vue-extend (vs. @vitejs/plugin-vue)
- vite-plugin-bomb (vs. vite-plugin-html)
- quill-image-downloader (similar to legitimate Quill plugins)
By adopting these misleading names, the attacker successfully inserted malware into critical development pipelines.
These packages delete core files from popular JavaScript frameworks. For instance, vite-plugin-bomb and vite-plugin-react-extend launch recursive deletion attacks against React, Vite, and Vue.js.
βprocess.execSync(rimraf ${node_modules}vue\\dist);β β destructive code embedded in the plugin.
The vite-plugin-vue-extend module even deploys a seven-stage attack, systematically targeting 19 essential libraries in the Vue ecosystem over a six-week timeline using randomized intervals.
The js-hood package subtly corrupts JavaScriptβs core functionality. It overrides critical methods like Array.prototype.filter, String.prototype.split, and more, replacing expected results with random characters.
βThis package is particularly dangerous because it directly attacks core JavaScript prototype methodsβ¦ ensuring corrupted and unpredictable outputs.β
quill-image-downloader executes a three-phase attack targeting localStorage, sessionStorage, and cookies, scrambling stored data used for user sessions, authentication, and UI state.
βUnlike other packages that cause immediate, obvious damageβ¦ this attack corrupts client-side data in a way that causes persistent, hard-to-diagnose application failures.β
The js-bomb and vue-plugin-bomb packages forcibly shut down systems and delete framework files using scheduled multi-phase payloads. One of the embedded commands reads:
These payloads run in rapid intervals, often every second, leaving administrators with mere seconds to react before system shutdowns and data destruction occur.
The attackers took care to ensure cross-platform compatibility, dynamic path resolution, error handling, and scheduled activation to avoid detection and delay analysis. Several packages included minified code and error-suppressing try/catch blocks, adding to their stealth.
βOnce activated, the attacks execute at intervals ranging from aggressive 1-second loops to randomized 5-10 minute windows.β
As of this writing, the malicious packages are still live on the npm registry. Socket has petitioned for their removal but warns that installations may still exist in local or production environments.
Related Posts:
- Nuxt Users Beware: CVE-2025-27415 Opens the Door to Cache Poisoning Attacks
- Millions at Risk: PoC Exploit Releases for Vite Arbitrary File Read Flaw (CVE-2025-30208)
- Vitest Vulnerability Exposes Developers to Remote Code Execution – CVE-2025-24964 (CVSS 9.7)
- Zero-Day Attack Alert: Corrupted Files Weaponized in New Attacks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
