New supply chain attack with malicious scripts in npm packages

A new attack on the supply chain threatens workstations and CI environments. The malicious script spies on internal data for further attacks.

(Image: William Potter/Shutterstock.com)

May 26, 2025 at 12:11 pm CEST

2 min. read

Developer

By

Wolf Hosbach

The security firm Socket warns of a campaign with malicious scripts in npm packages. The analysts have discovered 60 of these packages that contain an infostealer, which in turn spies on a machine fingerprint, network data and directory structures and sends them to a Discord account of the attackers.

The sixty packages originate from three npm accounts(bbbb335656, cdsfdfafd1232436437 and sdsds656565), twenty each, and have already been downloaded 3000 times. The malicious script, which is the same in all cases, starts with the installation(npm install) and performs a sandbox check, i.e., only becomes active in a non-virtual environment, on a workstation or a real CI node. Windows, macOS, and Linux systems are affected.

Example of a contaminated package — The example of an infected package can no longer be found in the npm registry.

(Image: Socket)

Dangers for the supply chain

Large-scale attacks on the supply chain occur again and again and although the currently surfaced packages have now disappeared from the npm directory, the analysts warn of a possible expansion of the attack: “The malicious actors can easily clone the script, record its download telemetry in real time and republish it.” With the stolen data, the perpetrators have enough information for further attacks. In CI environments in particular, knowledge of package registries and build paths opens up opportunities for further supply chain attacks.

Videos by heise

The security analysts recommend the following as a defense: developers should check their automated checks for web hacks after installation (in this case Discord), hardwired URLs and unusually small tarballs.

An excerpt from the script shows the data it spies on:

    const trackingData = JSON.stringify({
	
        package: package,
	
        directory: __dirname,
	
        home_directory: os.homedir(),
	
        username: os.userInfo().username,
	
        dns: dns.getServers(),
	
        internal_hostname: os.hostname(),
	
        internal_ip: getIPAddress(), 
	
        external_ip: externalIP.ip, 
	
        external_hostname: externalIP.hostname,
	
        organization: externalIP.organization,
	
        resolved_url: packageJSON ? packageJSON.___resolved : undefined,
	
        package_version: packageJSON.version,
	
        package_json: packageJSON,
	
        package_type: 'npm',
	
    });

(who)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.