Malicious packages have been discovered on the Node Package Manager (npm) index, collecting sensitive host and network data. According to Socket’s Threat Research team, 60 packages were uploaded starting May 12 from three publisher accounts, attempting to gather information such as hostname, internal IP address, user home directory, and system DNS servers.
The malicious packages contain a post-install script that executes during ‘npm install’ and sends the collected data to a Discord webhook controlled by the threat actor. While no second-stage payloads or privilege escalation were observed, the risk of targeted network attacks is significant due to the sensitive data collected.
To trick developers into using them, the threat actor used names similar to legitimate packages, such as ‘flipper-plugins’ and ‘react-xterm2’, with generic trust-evoking names like ‘hermes-inspector-msggen’. The complete list of malicious packages is available on Socket’s report.
In a separate incident, eight malicious packages were discovered that mimic legitimate tools through typosquatting, but can delete files, corrupt data, and shut down systems. These packages targeted the React, Vue.js, Vite, Node.js, and Quill ecosystems, getting 6,200 downloads over two years.
It is recommended to remove these malicious packages immediately and perform a full system scan to eradicate any infection remnants.
Source: https://www.bleepingcomputer.com/news/security/dozens-of-malicious-packages-on-npm-collect-host-and-network-data