Tag: npm

21 Attack Reports | 0 Vulnerabilities

Attack reports

VS Code extensions contain trojan-laden fake image

A malicious campaign involving 19 Visual Studio Code extensions has been uncovered, hiding malware in dependency folders. Active since February 2025, the campaign abuses a legitimate npm package to avoid detection and crafts an archive containing malicious binaries disguised as a PNG image. The att…
npm
vs code
rust trojan
2025-12-11
Published: December 11, 2025
Downloadable IOCs: 0

Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems

The Shai-hulud 2.0 campaign features an advanced malware variant that steals credentials and secrets from major cloud platforms and developer services. It automates the backdooring of NPM packages maintained by victims, enabling rapid propagation across the software supply chain. The malware target…
supply chain
cloud
credential theft
azure
npm
aws
github
shai-hulud
2025-11-27
gcp
Published: November 27, 2025
Downloadable IOCs: 6

Defending Against Sha1-Hulud: The Second Coming

A new variant of the NPM supply chain attack, dubbed Sha1-Hulud, has emerged with enhanced capabilities. Unlike its predecessor, this attack executes in the preinstall phase, targeting popular packages such as Postman, Zapier, and AsyncAPI. The malware harvests credentials across AWS, Azure, and GC…
persistence
npm
supply chain attack
package compromise
2025-11-27
github actions
sha1-hulud
cloud credentials
software development
Published: November 27, 2025
Downloadable IOCs: 3

Shai-Hulud 2.0: Aggressive & Automated, One Of Fastest Spreading NPM Supply Chain Attacks Ever Observed

In November 2025, security researchers identified Shai-Hulud 2.0, an aggressive and automated supply-chain attack targeting the npm ecosystem. This second wave of the Shai-Hulud campaign demonstrated unprecedented automation and propagation speed, compromising hundreds of npm packages within hours.…
backdoor
worm
credential harvesting
npm
github
automation
supply-chain attack
2025-11-27
shai-hulud 2.0
Published: November 27, 2025
Downloadable IOCs: 4

Shai-Hulud worm infects npm packages

A self-propagating malware called Shai-Hulud has infected over 500 npm packages, including one with over two million weekly downloads. The worm steals sensitive data, exposes private repositories, and hijacks victim credentials to spread further. It executes when an infected package is installed, c…
worm
data-theft
npm
github
supply-chain-attack
package-infection
shai-hulud
2025-09-25
self-propagating
Published: September 25, 2025
Downloadable IOCs: 0

"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack

A widespread software supply chain attack targeting the Node Package Manager (npm) ecosystem has been discovered, involving a novel self-replicating worm called "Shai-Hulud". The worm has compromised over 180 software packages, including widely used libraries. It operates by harvesting credentials,…
phishing
supply chain
worm
javascript
credential harvesting
npm
self-replicating
shai-hulud
2025-09-18
Published: September 18, 2025
Downloadable IOCs: 1

Self-replicating Shai-hulud worm spreads token stealing malware on npm

A self-replicating worm named Shai-hulud has been detected on the npm registry, spreading through compromised developer accounts and injecting malicious code into legitimate packages. The worm steals cloud service tokens, primarily targeting npm, GitHub, AWS, and GCP. It also installs Trufflehog to…
supply-chain
worm
npm
open-source
2025-09-16
self-replicating
shai-hulud
package-compromise
token-stealing
Published: September 16, 2025
Downloadable IOCs: 0

Ethereum smart contracts used to push malicious code on npm

A novel technique utilizing Ethereum smart contracts was discovered in two npm packages to conceal malicious commands for installing downloader malware. The packages, colortoolsv2 and mimelib2, are part of a larger campaign targeting npm and GitHub. The attackers created sophisticated GitHub reposi…
social engineering
cryptocurrency
npm
supply chain attack
ethereum
2025-09-04
smart contracts
colortoolsv2
mimelib2
Published: September 4, 2025
Downloadable IOCs: 0

PyPI Supply Chain Attack Uncovered: Colorama and Colorizr Name Confusion

A malicious package campaign targeting Python and NPM users on Windows and Linux has been discovered. The attack uses typo-squatting and name-confusion tactics against the popular colorama Python package and the similar colorizr JavaScript package. Multiple packages with risky payloads were uploade…
typosquatting
remote-access
npm
pypi
data-exfiltration
supply-chain-attack
2025-06-02
colorama
colorizr
Published: June 2, 2025
Downloadable IOCs: 2

The Good, the Bad and the Ugly in Cybersecurity – Week 20

This intelligence update covers recent cybersecurity events. In positive developments, global authorities disrupted a major botnet, arrested a ransomware actor, and dismantled a dark web marketplace. On the negative side, a malicious NPM package was discovered hiding multi-stage malware using Unico…
ransomware
zero-day
botnet
npm
dns hijacking
dark web
CVE-2025-27920
omserverservice.exe
omclientservice.exe
output messenger
2025-05-16
kurdish military
doppelpaymer
Published: May 16, 2025
Linked vulnerabilities : CVE-2025-27920 (CVSS 9.8)
Downloadable IOCs: 1

Atomic and Exodus crypto wallets targeted in malicious npm campaign

A malicious npm package named pdf-to-office was discovered targeting cryptocurrency wallets. The package, posing as a PDF to Office converter, injects malicious code into locally installed Atomic and Exodus wallets. This attack modifies legitimate files to redirect crypto funds to the attacker's wa…
cryptocurrency
persistence
npm
atomic
software supply chain
exodus
patching
2025-04-10
wallet
2025-04-14
trojanized code
atomic wallet
Published: April 14, 2025
Downloadable IOCs: 1

Malware found on npm infecting local package with reverse shell

A sophisticated malware campaign targeting npm packages has been discovered, involving two malicious packages: ethers-provider2 and ethers-providerz. These packages act as downloaders, hiding their malicious payload cleverly. Upon installation, they patch the legitimate locally-installed npm packag…
persistence
javascript
npm
reverse-shell
2025-03-26
ethers-provider2
package-infection
ethers-providerz
Published: March 26, 2025
Downloadable IOCs: 1

Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack

Two npm packages, @rspack/core and @rspack/cli, were compromised in a supply chain attack, allowing the publication of malicious versions containing cryptocurrency mining malware. The attack targeted specific countries and aimed to execute XMRig cryptocurrency miner on Linux hosts. The malicious ve…
linux
xmrig
npm
crypto mining
2024-12-20
rspack
Published: December 20, 2024
Downloadable IOCs: 1

A new playground: Malicious campaigns proliferate from VSCode to npm

This intelligence details the emergence of malicious campaigns spreading from VSCode to npm. Researchers observed an increasing amount of malicious activity in VSCode Marketplace, with threat actors using npm packages to inject malicious code into VSCode IDE. The campaign initially targeted the cry…
obfuscation
npm
downloader
crypto
software supply chain
2024-12-19
zoom
malicious extensions
vscode
Published: December 19, 2024
Downloadable IOCs: 2

An NPM and PyPI Malicious Campaign Targeting Windows Users

Datadog Security Research has uncovered an ongoing supply chain attack targeting both npm and PyPi package repositories, tracked as MUT-8694. This campaign uses malicious packages to deliver infostealer malware to Windows users, leveraging legitimate services like GitHub and repl.it for payload hos…
supply-chain
typosquatting
infostealer
npm
pypi
2024-11-26
roblox
Published: November 26, 2024
Downloadable IOCs: 11

Differential analysis raises red flags over @lottiefiles/lottie-player

ReversingLabs researchers discovered malicious versions of the popular npm package @lottiefiles/lottie-player. Versions 2.0.5, 2.0.6, and 2.0.7 were compromised and used to spread malicious code designed to steal crypto wallet assets. The attackers altered the lottie-player.js file, replacing its c…
npm
cryptocurrency theft
supply chain attack
2024-11-22
package compromise
open-source security
differential analysis
Published: November 22, 2024
Downloadable IOCs: 0

Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware

A sophisticated supply chain attack has been discovered targeting the NPM ecosystem. The malicious package 'jest-fet-mock' impersonates popular testing utilities and uses Ethereum smart contracts for command-and-control operations. This cross-platform malware affects Windows, Linux, and macOS, exec…
supply-chain
typosquatting
c2
npm
multi-platform
2024-11-05
blockchain
development-tools
smart-contract
ethereum
jest-fet-mock
Published: November 5, 2024
Downloadable IOCs: 4

Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview

Datadog Security Research discovered three malicious npm packages: passports-js, bcrypts-js, and blockscan-api, containing BeaverTail malware associated with North Korean threat actors. The packages, downloaded 323 times, targeted job-seekers in the US tech industry through a campaign named Contagi…
infostealer
cryptocurrency
npm
dprk
beavertail
contagious interview
2024-10-25
invisibleferret
software supply chain
namesquatting
Published: October 25, 2024
Downloadable IOCs: 1

North Korea Still Attacking Developers via npm

Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
malware
obfuscation
python
cryptocurrency
exfiltration
persistence
javascript
moonstone sleet
npm
2024-09-30
contagious interview
multi-stage attack
Published: September 30, 2024
Downloadable IOCs: 12

Persistent npm Campaign Shipping Trojanized jQuery

The report describes a persistent supply chain attack involving the distribution of a trojanized version of jQuery through various platforms like npm and GitHub. The malicious jQuery variant, containing a modified 'end' function, exfiltrates website form data by sending it to remote URLs controlled…
malware
supply chain
exfiltration
npm
github
2024-07-10
Published: July 10, 2024
Downloadable IOCs: 67

Malicious npm package targets AWS users

ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
backdoor
supply-chain
2024-06-27
npm
aws
Published: June 27, 2024
Downloadable IOCs: 3
Click here to see more Attack Reports