Security researchers from Socket uncovered 60 malicious NPM packages that gather host and network information and transmit it to a Discord webhook controlled by attackers.
These packages, first uploaded on May 12 from three different accounts, execute post-install scripts during installation to collect data like hostname, internal IP, user directory, and DNS server information.
While no second-stage malware or persistence mechanisms were seen, the nature of the data suggests potential for future targeted attacks. Some of these packages mimicked well-known libraries to deceive developers and may have been aimed at CI/CD pipelines. Additionally, Socket identified another eight malicious NPM packages designed to delete files and sabotage systems, which managed to evade detection for two years due to delayed activation via hardcoded dates.
Users are advised to remove any suspicious packages immediately and scan their systems to eliminate potential threats.
Read more...