Security researchers at Socket have uncovered malicious software in the widely used Node Package Manager (NPM) repository, which has received over 6,000 downloads. The packages contained destructive payloads designed to corrupt or delete important data and crash systems.
The malicious packages had names that closely mimicked those of legitimate packages, making it difficult for users to identify them as threats. Eight packages were found to have varying tactics, including deleting files related to Vue.js, corrupting core JavaScript functions, and breaking browser storage mechanisms.
One tactic involved deleting Vue.js framework files and forcing system shutdowns in a “multi-phase” attack. Another approach used advanced three-file attacks that compromised authentication tokens and user preferences, creating intermittent failures that persisted even after page refreshes.
The discovery highlights the hidden threats users of open-source archives face. The malicious packages were available for download for over two years, accumulating roughly 6,200 downloads during this time. Researchers warn of the importance of staying vigilant when using third-party libraries to avoid falling prey to such attacks.
Source: https://arstechnica.com/information-technology/2025/05/destructive-malware-available-in-npm-repo-went-unnoticed-for-2-years