An advanced malware campaign on the npm registry steals the very keys that control enterprise cloud infrastructure.
Open-source software (OSS) lets enterprise development teams innovate at pace, but this speed also introduces an often poorly governed security risk: the software supply chain.
Socket has identified 10 malicious packages on npm, the core repository for the JavaScript ecosystem, which deploy a multi-stage operation to steal developer credentials. These packages – which have existed for over four months and accumulated thousands of downloads – are complex, cross-platform weapons designed to harvest the “crown jewels” of a modern enterprise.
From helpful tool to cloud compromise
Unlike simpler attacks, this npm malware campaign’s primary goal is the methodical theft of credentials that provide direct access to corporate cloud environments. The malware is purpose-built to locate and exfiltrate authentication keys for major enterprise platforms.
The payload, a 24MB binary, actively scans the victim’s filesystem for configuration files related to AWS (~/.aws/credentials), Kubernetes (~/.kube/config), and Docker (~/.docker/config.json). The theft of these files provides an attacker with the keys to an organisation’s entire cloud infrastructure, potentially enabling them to access production databases, disrupt services, or exfiltrate sensitive customer data.
The attack also neutralises a primary layer of corporate defence: multi-factor authentication (MFA). The malware is designed to extract browser session cookies.
As the report notes, “stealing an active session cookie allows the threat actor to impersonate the victim without needing the password or second factor”. This grants attackers immediate authenticated access to key web consoles such as the AWS Console, Azure Portal, Google Cloud Console, and source code repositories like GitHub and GitLab.
The malware also targets modern API authentication mechanisms, harvesting OAuth and JWT tokens. These tokens are vital for CI/CD pipelines and service-to-service communication, and their theft can provide an attacker with long-term access to corporate systems.
How the npm malware campaign evades detection
The attack’s success hinges on its mix of technical evasion and social engineering. It begins when a developer makes a simple mistake, installing a “typosquatted” package like dizcordjs (mimicking discord.js) or react-router-dom.js (mimicking react-router-dom).
As soon as it’s installed, the process is automated. The malware uses npm’s postinstall hook, a standard feature, to execute immediately. To avoid suspicion, it “launches in a new terminal window to avoid detection during the install process”.
The malware displays a fake ASCII CAPTCHA prompt, designed to “make the malware appear to be legitimate bot protection” and “delay execution, making the connection to npm install less obvious”. While the developer is occupied by this prompt, the malware fingerprints the victim’s IP address and downloads the final payload. After any text is entered, the malware even displays fake installation messages, such as “Installing discord.js package…”, to complete the illusion.
This payload is hidden behind four distinct layers of obfuscation – including eval wrappers, XOR encryption, and control flow obfuscation – which makes it incredibly difficult for static analysis tools to detect. The final binary is a cross-platform information stealer that targets the native credential stores of Windows, macOS, and Linux.
Assume compromise and harden your workflows
This incident is a stress test of an enterprise’s software supply chain governance. Given that the npm packages used for this malware campaign were live for months, any organisation using them must act decisively. As the research team bluntly states: “Any system where these packages were installed should be assumed fully compromised”.
A full-scale remediation effort is non-negotiable. Security teams must prioritise the immediate rotation of all potentially compromised credentials. This includes revoking all OAuth and JWT tokens, rotating all API keys, and invalidating all developer SSH keys. All credentials stored in system keyrings (like Windows Credential Manager or macOS Keychain) and browser password managers on affected machines must be considered stolen.
Simultaneously, security operations centres must actively hunt for threats. Logs should be audited for any connections to the attacker’s command-and-control server (IP address 195[.]133[.]79[.]43) and for any signs of lateral movement originating from developer workstations.
This latest npm malware campaign once again shows that developers can’t afford to treat dependency management as a low-level development task. Implementing security tools that scan for malicious packages before they are installed, such as dependency firewalls or advanced CLI scanners, is essential. Security must be embedded directly into the CI/CD pipeline and the developer’s local environment, not just at the network perimeter.
See also: Can an open-source framework solve AI agent complexity?
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events, click here for more information.
Developer is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.