Hackers are abusing the Node Package Manager (NPM) registry (a database of JavaScript packages) to target multilingual developers, including eavesdroppers and remote code execution (RCE) code.
According to a study by cybersecurity company Socket, a coordinated malware campaign of its origins in China, has published dozens of malware packages that mimic the famous Python, Java, C++, .Net and Node.js libraries.
“This strategy could be specifically targeted to developers familiar with multiple programming languages, tempting them to install malware packages due to familiar package names that unexpectedly appear in the NPM registry rather than their original ecosystem,” Socked researchers said in a blog post.
The clumsy packages used in the active package obfuscate the code, designed to pass security defenses, run malicious scripts to delete sensitive data, and establish persistence on affected systems.
