Security firm Socket warns of an ongoing campaign targeting NPM users with tens of malicious packages that can collect and exfiltrate system information.
Over the past two weeks, a threat actor has published 60 NPM packages containing a small script that activates when the package is installed to collect hostnames, IP addresses, DNS server lists, and directory paths and send the information to an attacker-controlled Discord webhook.
Targeting Windows, Linux, and macOS, the information stealer script packs basic sandbox‑evasion checks, and was specifically designed to fingerprint any system that builds or installs one of the malicious packages.
“Combined downloads now exceed 3,000, giving the threat actor a growing map of developer and enterprise networks that can guide future intrusions. As of this writing, all packages remain live on NPM. We have petitioned for their removal,” Socket said in an advisory.
The security firm identified three NPM accounts that published 20 malicious packages each, namely bbbb335656, cdsfdfafd1232436437, and sdsds656565. All packages contain the same fingerprinting code and send data to the same Discord webhook.
According to Socket, because the nefarious script collects both internal and external network identifiers, it allows the threat actor to link private developer environments to public-facing infrastructure, enabling them to mount follow-up attacks.
“The script gathers enough information to connect an organization’s internal network to its outward‑facing presence. By harvesting internal and external IP addresses, DNS servers, usernames, and project paths, it enables a threat actor to chart the network and identify high‑value targets for future campaigns,” Socket notes.
The campaign can also enable subsequent supply chain attacks, as the collected information may reveal internal package registry URLs, along with build paths, the company says.
It also warns that additional malicious packages might be published unless actions is taken quickly against the offending accounts, and recommends that developers use dependency‑scanning tools to identify unusually small tarballs, hardcoded URLs, and post‑install hooks.
Related: Popular Scraping Tool’s NPM Package Compromised in Supply Chain Attack
Related: Malicious NPM Packages Target Cursor AI’s macOS Users
Related: Malicious NPM Packages Target Cryptocurrency, PayPal Users
Related: 9-Year-Old NPM Crypto Package Hijacked for Information Theft
