New Supply Chain Attack Targets npm Packages with Malicious Scripts

Mon 26th May, 2025

A recent supply chain attack poses a significant threat to workstations and continuous integration (CI) environments. Security firm Socket has issued a warning regarding the discovery of 60 npm packages containing a malicious script designed to extract sensitive internal data for future cyberattacks.

The identified packages originate from three npm accounts (bbbb335656, cdsfdfafd1232436437, and sdsds656565), with each account featuring twenty packages that have collectively been downloaded approximately 3,000 times. The malicious script activates during the installation process (npm install) and performs a sandbox check, becoming operational only in non-virtual environments such as actual workstations or genuine CI nodes. This vulnerability affects systems running on Windows, macOS, and Linux.

Although the compromised packages have been removed from the npm registry, analysts caution against the potential for the attack to expand. They note that malicious actors could easily replicate the script, monitor its download telemetry in real-time, and re-release it. The information gleaned from the stolen data provides attackers with enough leverage to conduct further, more targeted attacks. In CI environments, the understanding of package registries and build paths presents additional opportunities for supply chain breaches.

To mitigate these risks, security analysts recommend that developers incorporate automated checks into their processes, looking specifically for webhooks related to the installation (such as Discord), hardcoded URLs, and unusually small tarball sizes. A snippet of the compromised script illustrates the type of data it collects:

const trackingData = JSON.stringify({
package: package,
directory: __dirname,
home_directory: os.homedir(),
username: os.userInfo().username,
dns: dns.getServers(),
internal_hostname: os.hostname(),
internal_ip: getIPAddress(),
external_ip: externalIP.ip,
external_hostname: externalIP.hostname,
organization: externalIP.organization,
resolved_url: packageJSON ? packageJSON.___resolved : undefined,
package_version: packageJSON.version,
package_json: packageJSON,
package_type: 'npm',
});

More Quick Read Articles »