Malicious npm package targets AWS users

Keypoints

• ReversingLabs researchers monitor public OSS repositories and frequently identify dozens of malicious packages across npm, PyPI, RubyGems, and more, underscoring the scale challenge of policing open-source ecosystems.
• The npm package legacyreact-aws-s3-typescript mimics the legitimate react-aws-s3-typescript package and uses typosquatting to lure developers, with two npm landing pages appearing identical.
• Post-install scripts in legacyreact-aws-s3-typescript run after installation, download an ELF file, and execute it, signaling a second-stage payload/backdoor.
• The second-stage backdoor opens a socket, connects to 91[.]238[.]181[.]250, and executes/receives commands through /bin/sh, showing a direct remote-control capability.
• Earlier versions (1.1.x series) of the malicious package were clean, while malicious updates appeared in 1.2.1, 1.2.2, and culminated in 1.2.4; some versions were published and removed within days/weeks.
• Typosquatting and deception are central to the campaign, with the malicious package leveraging “legacy” naming to appear as a continuation of the legitimate package.
• Spectra Assure Community provides a free risk assessment portal to evaluate package risk across npm, PyPI, and RubyGems, helping developers detect malware, tampering, and vulnerabilities before use.