Packages
Malicious NPM packages abuse Adspect redirects to evade security
Seven packages published on the Node Package Manager (npm) registry use the Adspect cloud-based service to separate researchers from potential victims and lead them to malicious locations. The purpose of the attack is to lead victims to cryptocurrency scam sites, according to an analysis from researchers at application security company Socket. All malicious packages were published under the developer […]
Malicious NuGet packages drop disruptive ‘time bombs’
Several malicious packages on NuGet have sabotage payloads scheduled to activate in 2027 and 2028, targeting database implementations and Siemens S7 industrial control devices. The embedded malicious code uses a probabilistic trigger, so it may or may not activate depending on a set of parameters on the infected device. NuGet is an open-source package manager and software […]
Malicious NPM packages fetch infostealer for Windows, Linux, macOS
Ten malicious packages mimicking legitimate software projects in the npm registry download an information-stealing component that collects sensitive data from Windows, Linux, and macOS systems. The packages were uploaded to npm on July 4, and remained undetected for a long period due to multiple layers of obfuscation that helped escape standard static analysis mechanisms. According to researchers at […]
PhantomRaven attack floods npm with credential-stealing packages
An active campaign named ‘PhantomRaven’ is targeting developers with dozens of malicious npm packages that steal authentication tokens, CI/CD secrets, and GitHub credentials. The activity started in August and deployed 126 npm packages that counted more than 86,000 downloads. The Node Package Manager (NPM) is the default package manager for Node.js, used by JavaScript developers […]
Fake WhatsApp developer libraries hide destructive data-wiping code
Two malicious NPM packages posing as WhatsApp development tools have been discovered deploying destructive data-wiping code that recursively deletes files on a developer’s computers. Two malicious NPM packages currently available in the registry target WhatsApp developers with destructive data-wiping code. The packages, discovered by researchers at Socket, masquerade as WhatsApp socket libraries and were downloaded over 1,100 […]
North Korean XORIndex malware hidden in 67 malicious npm packages
North Korean threat actors planted 67 malicious packages in the Node Package Manager (npm) online repository to deliver a new malware loader called XORIndex to developer systems. The packages collectively count more than 17,000 downloads and were discovered by researchers at package security platform Socket, who assess them to be part of the continued Contagious Interview operation. Socket researchers […]
New wave of ‘fake interviews’ use 35 npm packages to spread malware
A new wave of North Korea’s ‘Contagious Interview’ campaign is targeting job seekers with malicious npm packages that infect dev’s devices with infostealers and backdoors. The packages were discovered by Socket Threat Research, which reports they load the BeaverTail info-stealer and InvisibleFerret backdoor on victims’ machines, two well-documented payloads associated with DPRK actors. The latest attack wave uses […]
Supply chain attack hits Gluestack NPM packages with 960K weekly downloads
A significant supply chain attack hit NPM after 16 popular Gluestack ‘react-native-aria’ packages with over 950,000 weekly downloads were compromised to include malicious code that acts as a remote access trojan (RAT). GeekFeed determined that the compromise began on June 6 at 4:33 PM EST, when a new version of the react-native-aria/focus package was published to NPM. Since […]
Malicious NPM package uses Unicode steganography to evade detection
A malicious package in the Node Package Manager index uses invisible Unicode characters to hide malicious code and Google Calendar links to host the URL for the command-and-control location. The package, named os-info-checker-es6, appears as an information utility and has been downloaded more than 1,000 times since the beginning of the month. Researchers at Veracode, a code security assessment […]
Malicious PyPI packages abuse Gmail, websockets to hijack systems
Seven malicious PyPi packages were found using Gmail’s SMTP servers and WebSockets for data exfiltration and remote command execution. The packages were discovered by Socket’s threat research team, who reported their findings to the PyPI, resulting in the removal of the packages. However, some of these packages were on PyPI for over four years, and based […]