Socket’s Threat Research Team uncovered a multi-year campaign involving eight malicious npm packages targeting popular JavaScript frameworks like React, Vue.js, and Vite. These packages employ typosquatting, progressive attacks including file deletion, data corruption, and system shutdowns to disrupt developer workflows and production environments. #vite-plugin-bomb #js-hood #quill-image-downloader #js-bomb #xuxingfeng
Keypoints
- Eight malicious npm packages by threat actor “xuxingfeng” have been active for over two years, accumulating 6,200+ downloads by mimicking popular JavaScript plugins.
- The packages target critical tools and libraries in the JavaScript ecosystem such as Vite, React, Vue.js, and the Quill Editor, exploiting developers’ reliance on third-party plugins.
- Attack methods range from destructive file deletion across frameworks, core JavaScript prototype method corruption, to client-side browser storage manipulation and forced system shutdowns.
- The attack strategy includes phased, timed activations with randomized intervals from 1 second to 10 minutes, making detection and mitigation difficult.
- The quill-image-downloader package uniquely corrupts localStorage, sessionStorage, and cookies simultaneously, causing intermittent, hard-to-diagnose web application failures.
- Despite some legitimate packages published by the same actor to build trust, the malicious packages remain active on npm as of 2025, continuing to pose a threat.
- Recommended mitigations include auditing dependencies, restoring environments from clean sources, credential rotation, and using Socket’s security tools for real-time detection and prevention.
MITRE Techniques
- [T1195.002] Supply Chain Compromise – Malicious npm packages infiltrated the software supply chain by masquerading as legitimate plugins (“…npm packages that deploy attacks against widely-used JavaScript frameworks…”).
- [T1059.007] Command and Scripting Interpreter: JavaScript – JavaScript code was used for destructive actions including file deletion, data corruption, and storage manipulation (“…corrupt JavaScript’s core Array and String methods with random data…”).
- [T1565] Data Manipulation – Core JavaScript methods and client-side storage were manipulated to return corrupted and unpredictable data (“…corrupts all browser storage mechanisms with a coordinated three-file attack…”).
- [T1485] Data Destruction – Multiple packages implemented cross-platform file deletion targeting Vue.js, React, and other libraries to destroy framework components (“…Deletes Vue.js framework files using cross-platform deletion methods…”).
- [T1529] System Shutdown/Reboot – Attackers forced frequent, near-continuous system shutdowns to disrupt environments (“…process.execSync(
shutdown -s -t 5) executed every second…”).
Indicators of Compromise
- [Malicious npm Packages] Eight identified malicious packages including js-bomb, vite-plugin-bomb, js-hood, quill-image-downloader – used to deploy destructive payloads across JavaScript ecosystems.
- [Threat Actor Identifiers] npm Alias: xuxingfeng; Registration Email: 1634389031@qq[.]com – linked to all malicious npm accounts publishing both harmful and legitimate packages.