A sophisticated malware campaign targeting the npm ecosystem has compromised developer environments through 60 malicious packages designed to silently harvest sensitive network information.

The operation, which began eleven days ago and remains active as of publication, demonstrates the growing threat to software supply chains through compromised open-source packages.

The malicious packages span three npm accounts and have accumulated over 3,000 downloads, creating an extensive reconnaissance network for the threat actors.

Each package contains identical post-install scripts that execute automatically during npm installation, targeting Windows, macOS, and Linux systems across developer workstations and continuous integration environments.

Socket.dev researchers identified the campaign through their threat detection systems, revealing that the malware collects hostnames, internal and external IP addresses, DNS server configurations, and user directory paths before exfiltrating this data to a Discord-controlled webhook endpoint.

The operation’s persistence and scale indicate a well-coordinated effort to map enterprise networks and identify high-value targets for future attacks.

The threat actors published packages under three accounts with registration emails following the pattern npm9960+[1-3]@gmail.com, each containing exactly twenty malicious packages with legitimate-sounding names like “react-xterm2,” “seatable,” and “garena-admin.”

Combined with the rapid publication timeline and identical payloads, this suggests systematic automation in the campaign’s execution.

The exfiltrated data provides attackers with comprehensive network mapping capabilities, linking private developer environments to public-facing infrastructure and revealing organizational relationships that could facilitate targeted intrusions.

On continuous integration servers, the malware exposes internal package registry URLs and build paths, intelligence particularly valuable for subsequent supply chain attacks.

Technical Infection Mechanism

The malware employs sophisticated reconnaissance techniques wrapped within seemingly innocuous post-install hooks.

The core payload utilizes Node.js built-in modules to enumerate network interfaces and extract IPv4 addresses while querying ipinfo.io for external network information.

Before exfiltration, the script implements sandbox evasion by checking for known cloud computing domains including “compute.amazonaws.com” and “bc.googleusercontent.com,” as well as research environment indicators like usernames containing “justin,” “mal_data,” or “malicious”.

This selective targeting ensures the malware operates only in genuine development environments, maximizing the value of collected intelligence while avoiding detection in security research environments.

Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free