Hackers drop 60 NPM bomb reconnaissance machines in less than two weeks

Malware packages masquerade as harmless plugins and utilities, bringing destructive payloads designed to corrupt data, erase critical files and crash systems. Since uploading, they have received over 6200 downloads, escaped detection and slipped into an unsuspecting developer environment.

“The threat actor behind the event, using the NPM alias xuxingfeng and register email 1634389031@qq[.]COM has released eight packages designed to cause widespread damage in the JavaScript ecosystem,” Socket researcher Kush Pandya said in a blog post. “It is worth noting that the same account also released several legal, non-profit suites that all serve as advertising. ”

Earlier this month, hackers were found to abuse NPM to target multilingual developers with typos that include eavesdroppers and RCE code. Boychenko recommends applying standard hygiene while NPM manages dependencies. He recommends using a dependency scanning tool to mark post-installation hooks, hard-coded URLs and unusually small tar files, and also strengthening the development pipeline with automatic security checks.