https://socket.dev/blog/60-malicious-npm-packages-leak-network-and-host-data
A significant supply chain attack targeting JavaScript developers has been uncovered on the NPM package repository, with dozens of malicious packages designed to collect sensitive host and network information from infected development environments. Security researchers have identified these packages as part of a coordinated campaign to gather intelligence on developer systems and corporate networks.
The malicious packages masqueraded as legitimate development tools and utilities, using names similar to popular NPM packages to trick developers into inadvertent installation through typosquatting techniques. Once installed, these packages executed hidden scripts that systematically collected detailed information about the host system, including operating system details, network configurations, running processes, and installed software.
Analysis of the malicious code revealed sophisticated data collection capabilities that went beyond basic system reconnaissance. The packages harvested network topology information, identified connected devices, and gathered details about development environments that could be valuable for planning future targeted attacks against software companies and their infrastructure.
“These packages represent a particularly insidious form of supply chain attack because they target the very foundation of modern software development,” said a researcher involved in the discovery. “By compromising developer workstations and build environments, attackers can potentially gain access to source code, credentials, and production systems.”
The collected data was transmitted to remote servers controlled by the threat actors through encrypted channels designed to evade network monitoring tools. The campaign may be linked to broader espionage activities targeting technology companies and software development organisations.
NPM has responded to the discovery by removing the identified malicious packages from its repository and implementing additional security measures to detect similar threats. The platform has also enhanced its automated scanning capabilities to identify packages exhibiting suspicious behavior patterns during the upload process.
Developers are strongly advised to audit their project dependencies for any packages installed during the affected timeframe and implement dependency scanning tools that can identify potentially malicious or compromised packages. It is recommend to establish secure development practices including dependency pinning, regular security audits of third-party packages, and network segmentation between development and production environments.