Over 60 malicious NPM packages have been identified that collect sensitive host and network data, sending it to a threat actor-controlled Discord webhook. Despite lacking second-stage payloads, these packages pose a significant risk for targeted network attacks and remain available on NPM, emphasizing the importance of immediate removal. #NPMThreats #DiscordWebhook #DataExfiltration
Keypoints
- Sixty malicious packages on NPM collect system and network data during installation.
- The packages use post-install scripts to gather hostnames, IPs, directories, and DNS details.
- The threat actor uploads these packages using names similar to legitimate ones to deceive developers.
- Another campaign involved eight packages that aimed to destroy files and corrupt data on various JavaScript frameworks.
- Removal of these packages is critical to prevent potential reactivation of destructive payloads in the future.