2025 Report: Destructive Malware in Open Source Packages

Over the past year Socket observed a rise in destructive open-source packages that directly sabotage developer environments by deleting source code, breaking builds, and wiping repositories or CI artifacts. These packages—published to npm, PyPI, NuGet, and Go module indexes—used remote kill switches, time-delays, typosquatting/dependency confusion, and remote payload loaders to trigger targeted codebase destruction. #Socket #npm

Keypoints

Socket documented a growing trend of sabotage-oriented packages in open source registries that focus on deleting developer assets rather than traditional financial theft.
Destructive payloads were often surgical—targeting Git repositories, source directories, config files, and build outputs—to maximize operational disruption while avoiding broader endpoint detection.
Malicious packages were distributed via trusted registries and frequently executed during installation through lifecycle hooks, impacting both local developer machines and CI/CD runners at scale.
Four recurring attack patterns were observed: remote kill switches, time-delayed execution, targeted codebase wiping, and remote payload fetching (multi-stage loaders).
Different ecosystems showed distinct delivery methods: npm accounted for many frontend/tooling cases; PyPI relied on typosquatting and dependency confusion; NuGet used delayed wipes targeting Windows; Go modules acted as loaders fetching remote scripts.
Recommendations include disabling unnecessary install-time scripts in CI, enforcing dependency pinning and provenance checks, monitoring for unexpected filesystem deletions during builds, and favoring established maintainers over new/low-reputation packages.

MITRE Techniques

[T1195 ] Supply Chain Compromise – Publishing malicious dependencies to public registries to achieve initial access and execution during install (‘These packages were published through trusted registries including npm, PyPI, NuGet Gallery, and Go module indexes’)
[T1036 ] Masquerading – Using typosquatting and dependency confusion to impersonate legitimate packages and trick developers into installing malicious versions (‘PyPI packages often relied on typosquatting and dependency confusion’)
[T1485 ] Data Destruction – Selective deletion of developer assets such as repositories, source directories, configuration files, and CI build outputs to cause operational impact (‘They delete only what matters to developers: Git repositories, source directories, configuration files, and CI build outputs’)
[T1105 ] Ingress Tool Transfer – Remote fetching of destructive scripts or executables at runtime via HTTP, wget, curl, or client libraries to keep initial packages minimal (‘the published package contained minimal malicious logic itself and instead acted as a loader… fetched destructive scripts or executable code from a remote server using standard tools such as wget, curl, or HTTP client libraries’)
[T1071 ] Application Layer Protocol – Periodic polling of attacker-controlled endpoints (HTTP) to receive activation signals or kill-switch commands for delayed or remote-triggered execution (‘periodically polling attacker-controlled endpoints for instructions’)
[T1059 ] Command and Scripting Interpreter – Use of shell commands and scripting (e.g., recursive delete commands, invoked installers or lifecycle scripts) to perform destructive actions during install or runtime (‘issued recursive delete commands, poisoned environment state, or forcibly terminated processes’)

Indicators of Compromise

[Registry / package identifiers ] Context: malicious packages published to public registries – examples: npm packages targeting React/Vite project structures, typosquatted PyPI packages (no specific package names provided)
[Endpoints / domains ] Context: attacker-controlled endpoints used as remote kill switches – example: periodic polling of attacker-controlled endpoints for activation (no domains disclosed)
[File paths / filenames ] Context: targeted developer assets and framework paths – examples: Git repositories, framework-specific directories (React, Vue, Vite paths), configuration files
[Scripts / commands ] Context: destructive commands and fetched scripts used by loaders – examples: recursive delete (rm -rf) commands, shell scripts fetched via wget/curl
[Remote payload URLs ] Context: URLs hosting destructive payloads fetched at runtime – examples: remote server URLs and HTTP endpoints used to serve wipe scripts (no specific URLs provided)