60 Malicious npm Packages Exfiltrate Hostnames, IP Addresses, and DNS Server Details

A Socket’s Threat Research Team has revealed a sophisticated and ongoing campaign targeting the npm ecosystem, involving 60 malicious packages published under three distinct accounts: bbbb335656, cdsfdfafd49Group2436437, and sdsds656565.

First detected just eleven days ago, with the latest package appearing mere hours before this report, these packages embed a covert script that activates during the npm install process.

This script meticulously gathers sensitive system data, including hostnames, internal and external IP addresses, DNS server configurations, usernames, and user directory paths.

Stealthy npm Campaign

The harvested data is then exfiltrated to a Discord webhook controlled by the threat actor, enabling real-time tracking of infected systems across Windows, macOS, and Linux environments.

With over 3,000 combined downloads, this operation provides the attacker with a detailed map of developer and enterprise networks, setting the stage for potential follow-on intrusions.

Delving into the technical intricacies, the malicious script within these packages leverages Node.js modules such as os and dns to fingerprint infected machines.

It enumerates local network interfaces to capture internal IP addresses while querying external services like ipinfo[.]io to obtain public-facing IP details.

Additionally, the script incorporates sandbox-evasion logic, aborting execution if it detects environments indicative of AWS, GCP, or common research VMs through hostname checks or directory patterns.

This selective targeting underscores the threat actor’s intent to focus on genuine victims rather than test systems.

Technical Depth of the Malicious Payload

The collected data, formatted as a comprehensive JSON blob, includes critical identifiers like package names, project paths, and organizational details, which are then transmitted to a hardcoded Discord webhook URL.

According to Socket Report, this reconnaissance payload, identical across all 60 packages, poses a significant strategic risk, particularly on continuous-integration servers where internal registry URLs and build paths could be exposed, facilitating future supply chain attacks.

Although currently limited to data collection, the intelligence gathered linking private environments to public infrastructure could pave the way for more destructive campaigns if not addressed.

The npm registry has yet to remove these packages or suspend the associated accounts, heightening the likelihood of additional releases with refined evasion techniques or escalated payloads.

Given the active nature of this campaign, the absence of npm registry guardrails for post-install hooks remains a critical vulnerability.

Defenders are urged to integrate dependency-scanning tools to detect suspicious post-install scripts, hardcoded URLs, and minimal tarball sizes.

Tools like the Socket GitHub app, CLI, and browser extension can flag risky patterns during installs or while browsing, fortifying development pipelines against such threats.

As the threat actor continues to operate, likely preparing for deeper intrusions based on the reconnaissance data amassed, proactive measures are essential to prevent further compromise within the npm ecosystem.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!