Ddos 
Socket’s Threat Research Team has uncovered an active and expanding malware campaign in the npm ecosystem. More than 60 malicious packages, still live at the time of the report, are silently collecting internal network data and exfiltrating it to a Discord webhook under attacker control.
This widespread attack targets developers and continuous integration (CI) environments across Windows, macOS, and Linux, revealing a sophisticated reconnaissance campaign designed to map enterprise networks for future exploitation.
“Each package carries a small install-time script that… collects hostnames, internal and external IP addresses, DNS server lists, and user directory paths, then exfiltrates the data to a Discord webhook under the threat actor’s control,” Socket revealed.
The malicious code executes automatically during npm install, embedding itself within the build process. The payload harvests:
- Internal and external IP addresses
- Hostnames
- DNS server lists
- Usernames and home directories
- Working directory paths and project metadata
What sets this malware apart is its stealth and simplicity. It uses basic system libraries (os, dns, https) to avoid detection, and even includes logic to evade sandbox environments such as AWS, GCP, and common security research domains.
“The selective sandbox escapes indicate the threat actor wants real victims, not sandboxes or research VMs,” the researchers noted.
The stolen information allows the attackers to map connections between developer machines and enterprise infrastructure, laying the groundwork for future supply chain or spearphishing attacks.
“By harvesting internal and external IP addresses, DNS servers, usernames, and project paths, it enables a threat actor to chart the network and identify high-value targets for future campaigns,” the report warns.
This quiet reconnaissance poses a strategic risk, especially for CI environments, where secrets, tokens, and private registry URLs may be inadvertently exposed.
The campaign is tied to three npm accounts — bbbb335656, cdsfdfafd1232436437, and sdsds656565 — each responsible for publishing 20 packages. Collectively, these packages have amassed over 3,000 downloads.
Examples of infected packages include:
- seatable
- datamart
- seamless-sppmy
Each embeds identical payloads pointing to the same Discord webhook for data exfiltration.
“Unless the npm registry removes the malicious packages and suspends the related accounts, more releases are likely,” Socket warned.
Related Posts:
- Malicious NPM Packages Target PayPal Users to Steal Sensitive Data
- Malware on npm “Patches” Local Packages with Reverse Shell
- Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
- Malicious npm Packages Backdoor Telegram Bot Developers
- Google Maps Platform Goes Online: Provides Location Based Services for Third Party Applications
Donate