Destructive Malware in NPM Repository Remained Unnoticed for Two Years

Researchers have discovered malicious software that was downloaded more than 6,000 times from the NPM repository over a two-year period. This finding highlights the hidden dangers users face when utilizing open-source archives like NPM.

Security researcher Kush Pandya from Socket reported that eight packages, masquerading as legitimate ones, contained destructive payloads aimed at corrupting or deleting important data and crashing systems. These packages have been available for download for over two years, accumulating approximately 6,200 downloads.

A Diversity of Attack Vectors

"What makes this campaign particularly concerning is the diversity of attack vectors—from subtle data corruption to aggressive system shutdowns and file deletion," Pandya noted. The packages targeted varied parts of the JavaScript ecosystem with several tactics.

• Deleting files related to Vue.js, a front-end JavaScript framework, using commands for both Windows and Linux.
• Corrupting core JavaScript functions with random data.
• Damaging all browser storage mechanisms with a three-file attack affecting "authentication tokens, user preferences, shopping carts, and application states" while generating persistent, hard-to-diagnose failures.
• "Multi-Phase System Attacks" involving deletion of Vue.js framework files and causing system shutdowns.

Some payloads were designed to activate only on specific dates in 2023. However, some were scheduled to begin in July without a termination date, indicating a persistent threat. Since all activation dates have passed (June 2023–August 2024), developers using the packages now would immediately trigger destructive activities.

Interestingly, the individual who submitted the malware used an email address linked to legitimate package registrations, creating a facade of legitimacy that made detection difficult. The person behind the packages did not respond to emails.

The malicious packages primarily targeted major JavaScript ecosystems, including React, Vue, and Vite. The specific packages included:

• js-bomb
• js-hood
• vite-plugin-bomb-extend
• vite-plugin-bomb
• vite-plugin-react-extend
• vite-plugin-vue-extend
• vue-plugin-bomb
• quill-image-downloader

Anyone who has installed these packages should inspect their systems to ensure they are not currently in use. These packages mimic legitimate development tools closely, making detection difficult.

Dan Goodin serves as Senior Security Editor at Ars Technica, covering topics like malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his free time, Dan enjoys gardening, cooking, and exploring the independent music scene.

You can follow Dan Goodin on Mastodon here and on Bluesky here. Contact him on Signal at DanArs.82.