BleepingComputer reports that five dozen malicious NPM packages, which are named similarly to legitimate packages and have amassed 3,000 downloads since being uploaded on May 12, have sought to exfiltrate targeted systems' host and network information to an attacker-controlled Discord webhook.
Installation of the NPM packages facilitates automated script execution enabling the compromise of targeted devices' hostnames, usernames, internal IP addresses, user home directories, current working directories, and system DNS servers, an analysis from Socket's Threat Research team showed. While other cloud provider-related hostnames and reverse DNS strings have also been monitored, such a script did not allow second-stage payload delivery, privilege escalation, and persistence, according to the report, which recommended the immediate removal of the packages and the implementation of total system scans in impacted devices. Such findings come as Socket researchers disclosed eight nefarious NPM packages aimed at the Quill, Vite, Node.js, Vue.js, and React ecosystems that feature data corrupting and system shutdown capabilities.
Installation of the NPM packages facilitates automated script execution enabling the compromise of targeted devices' hostnames, usernames, internal IP addresses, user home directories, current working directories, and system DNS servers, an analysis from Socket's Threat Research team showed. While other cloud provider-related hostnames and reverse DNS strings have also been monitored, such a script did not allow second-stage payload delivery, privilege escalation, and persistence, according to the report, which recommended the immediate removal of the packages and the implementation of total system scans in impacted devices. Such findings come as Socket researchers disclosed eight nefarious NPM packages aimed at the Quill, Vite, Node.js, Vue.js, and React ecosystems that feature data corrupting and system shutdown capabilities.
