Hackers are abusing the Node Package Manager (NPM) registry — a database of JavaScript packages — to target multi-language developers with typo-squatted packages containing stealers and remote code execution (RCE) codes.
According to a research by cybersecurity firm Socket, a coordinated malware campaign, with evidence of origin in China, has published dozens of malicious packages that mimic well-known Python, Java, C++, .NET, and Node.js libraries.
“This tactic may specifically target developers familiar with multiple programming languages, tricking them into installing malicious packages due to familiar-sounding package names, which appear unexpectedly in the npm registry instead of their original ecosystem,” said Socket researchers in a blog post.
The booby-trapped packages used in the campaign pack obfuscated code, designed to slip past security defences, run malicious scripts to siphon off sensitive data, and establish persistence on affected systems.