A newly discovered malware campaign targeting the npm ecosystem has compromised developer environments using 60 malicious packages. These packages are designed to secretly collect and transmit sensitive network data.
The operation began eleven days ago and is still ongoing. Researchers say the campaign highlights the increasing danger of supply chain attacks through open-source platforms like npm.
So far, the malicious packages have been downloaded over 3,000 times. They were published under three separate npm accounts, forming a broad surveillance network for the attackers.
How the Malware Works
Each of the 60 packages contains the same post-install script. This script runs automatically when the package is installed. It targets all major operating systems—Windows, macOS, and Linux—making it effective across a wide range of developer and CI (continuous integration) environments.
Security researchers from Socket.dev identified the campaign using internal threat detection tools. According to their report, the malware gathers hostnames, internal and external IP addresses, DNS server details, and user directory paths. It then sends this information to a webhook controlled via Discord.
The campaign appears to be a coordinated attempt to map internal networks and identify high-value enterprise targets.
Package Details and Automation
The attackers used three npm accounts, each registered with similar email formats: npm9960+[1-3]@gmail.com. Each account published 20 malicious packages with names that seem legitimate, such as “react-xterm2,” “seatable,” and “garena-admin.”
The consistent naming, identical payloads, and short publishing window suggest the campaign was automated and systematically executed.
Impact on Developer Environments
The stolen data allows attackers to build detailed maps of private networks and link development systems to public infrastructure. This kind of intelligence can be used to launch future, more targeted attacks.
On continuous integration servers, the malware also exposes internal package registry URLs and build paths, which are valuable assets in supply chain exploitation.
Technical Breakdown
The malware hides its reconnaissance activity in post-install hooks. It uses Node.js built-in modules to scan network interfaces, collect IPv4 addresses, and connect to ipinfo.io for public IP data.
To avoid detection in sandboxes or research labs, the script includes evasion checks. It looks for domains linked to cloud services like “compute.amazonaws.com” and “bc.googleusercontent.com.” It also avoids running in environments where usernames suggest a security research setup, such as “justin,” “mal_data,” or “malicious.”
This strategy ensures the malware focuses on real-world developer environments while avoiding exposure during security testing.
