Socket Security reports 60 malicious npm packages exfiltrating network and host data

Socket's Threat Research Team is reporting an active malware campaign with at least 60 malicious npm packages designed to silently collect and exfiltrate sensitive system information from developer machines and CI/CD environments.

The campaign began at approximately 15th of May 2025, and is still active. It has already accumulated over 3,000 downloads across the compromised packages. These packages were published under three different npm accounts, each publishing 20 malicious packages with identical malicious payloads.

The malicious packages contain post-install scripts that automatically execute during the standard 'npm install' process. These scripts perform reconnaissance on the victim's system, collecting various network and host identifiers before sending this data to a Discord webhook controlled by the threat actor. The campaign appears focused on mapping potential targets for future, more invasive attacks by gathering internal network topology and system information.

The malicious scripts have multiple mechanisms to evade detection: 

• sandbox-evasion techniques designed to avoid executing in research or cloud environments - It performs checks to avoid running in known sandbox environments such as AWS, Google Cloud, or research VMs.
• use misleading names that mimic legitimate packages or suggest testing functionality to trick developers into installation.
• The post-install scripts in these packages collect and transmit the following sensitive information:
  • Hostnames (both internal and external)
  • Internal IP addresses
  • External IP addresses
  • DNS server configurations
  • User home directory paths
  • Current working directory
  • Username
  • Package.json details
  • Organization information

The three npm accounts responsible for publishing these packages (bbbb335656, sdsds656565, and cdsfdfafd1232436437) all appear linked, using similar email patterns for registration (npm9960+1@gmail[.]com, npm9960+2@gmail[.]com, and npm9960+3@gmail[.]com). While Socket has petitioned npm to remove these packages, they remained available at the time of the initial report but appear to have been removed by the time of the second publication.

While Socket's analysis has not observed the delivery of second-stage payloads or persistence mechanisms, the reconnaissance data gathered could enable highly targeted follow-up attacks. For continuous integration environments, the leak reveals internal package registry URLs and build paths, intelligence that could accelerate subsequent supply chain attacks. By connecting internal networks to their external presence, attackers can build detailed maps of organizational infrastructure for future campaigns.

The threat actors demonstrate patience and strategic planning, focusing on quiet reconnaissance rather than immediate damage – a concerning indicator of a sophisticated adversary.

Development teams are advised to review the list of packages below and remove them from development environments, then perform system scans to identify any potential secondary infections

1. Adopt dependency-scanning tools that can detect suspicious post-install hooks, hardcoded URLs, and unusually small packages
2. Implement automated security checks in development pipelines
3. Consider using Socket's GitHub app, CLI, or browser extension to flag suspicious patterns before packages enter codebases
4. Implement network monitoring to detect unexpected outbound connections, particularly to Discord webhooks
5. Review CI/CD environments for signs of compromise

Malicious Packages by Account

bbbb335656 (registration email npm9960+1@gmail[.]com) – 20 packages

1. e-learning-garena
2. inhouse-root
3. event-sharing-demo
4. hermes-inspector-msggen
5. template-vite
6. flipper-plugins
7. appium-rn-id
8. bkwebportal
9. gop_status_frontend
10. index_patterns_test_plugin
11. seatable
12. zdauth
13. mix-hub-web
14. chromastore
15. performance-appraisal
16. choosetreasure
17. rapper-wish
18. 12octsportsday
19. credit-risk
20. raffle-node

sdsds656565 (registration email npm9960+2@gmail[.]com) – 20 packages

1. coral-web-be
2. garena-react-template-redux
3. sellyourvault
4. admin-id
5. seacloud-database
6. react-xterm2
7. bkeat-pytest
8. mysteryicons
9. mshop2
10. xlog-admin-portal
11. datamart
12. garena-admin
13. estatement-fe
14. kyutai-client
15. tgi-fe
16. gacha-box
17. tenslots
18. refreshrewards
19. codeword
20. sps

cdsfdfafd1232436437 (registration email npm9960+3@gmail[.]com) – 20 packages

1. seatalk-rn-leave-calendar
2. netvis
3. input_control_vis
4. env-platform
5. web-ssar
6. hideoutpd
7. arcademinigame
8. customer-center
9. team-portal
10. dof-ff
11. seamless-sppmy
12. accumulate-win
13. sfc-demo
14. osd_tp_custom_visualizations
15. routing-config
16. gunbazaar
17. mbm-dgacha
18. wsticket
19. all-star-2019
20. data-portal-dwh-apps-fe