Security researchers have discovered a sophisticated campaign targeting popular frameworks and libraries through malicious npm packages. These packages, which have accumulated over 6,200 downloads, masquerade as legitimate plugins and utilities while containing destructive payloads designed to corrupt data, delete critical files, and crash systems.
The attacker behind this campaign uses a dual strategy of publishing both helpful and harmful packages to create a facade of trustworthiness. Eight malicious packages remain active on the npm registry as of May 22, 2025, relying on typosquatting and name mimicry techniques to gain installation.
These packages target popular tools in modern JavaScript development, including Vite and widely-used plugins for frameworks like React and Vue.js. By mimicking common plugin names, attackers exploit developers’ reliance on third-party extensions and their trust in the npm ecosystem.
The most concerning aspect of this campaign is the diversity of attack vectors deployed, ranging from subtle data corruption to aggressive system shutdowns and file deletion. One sophisticated component is the “js-hood” package, which corrupts fundamental JavaScript methods, including Array methods like filter and push, as well as critical String methods.
This approach creates hard-to-diagnose intermittent problems that persist through debugging efforts. Malware introduces non-deterministic failures that return random data at randomized intervals of 5-10 minutes, making it challenging for developers to identify the issue.
To mitigate this threat, security experts recommend immediately auditing installed dependencies, restoring affected environments from verified sources, and rotating all potentially compromised credentials. Organizations should also implement package security scanning tools to detect these types of supply chain attacks before they enter the codebase.
Source: https://cybersecuritynews.com/hackers-using-weaponized-npm-packages