Hackers Deploy Weaponized npm Packages to Target React and Node.js JavaScript Frameworks

Socket’s Threat Research Team, a series of malicious npm packages have been found lurking in the JavaScript ecosystem for over two years, amassing more than 6,200 downloads.

These weaponized packages, targeting popular frameworks like React, Vue.js, Vite, Node.js, and the Quill Editor, were crafted by a threat actor under the npm alias “xuxingfeng” (linked to the email 1634389031@qq[.]com).

Disguised as legitimate plugins and utilities, they carry destructive payloads aimed at corrupting data, deleting critical files, and triggering system shutdowns.

– Advertisement –

Alarmingly, these packages remain active on the npm registry despite efforts to have them removed, posing an ongoing risk to developers and organizations worldwide.

Malware Campaign Uncovered After Two Years

According to Socket Report, the sophistication of this campaign lies in its strategic deception and multi-vector attack approach.

The attacker employed typosquatting and naming mimicry, creating packages like “vite-plugin-react-extend” (mimicking @vitejs/plugin-react) and “quill-image-downloader” (mirroring legitimate Quill plugins), to exploit developers’ trust and reliance on autocomplete tools.

By also publishing non-malicious packages under the same alias, the threat actor built a facade of credibility, making the harmful ones harder to suspect.

Targeting high-value tools like Vite with over 28 million weekly downloads in 2025 these packages were engineered to infiltrate real-world applications, CI/CD pipelines, and production environments, ensuring maximum damage.

The payloads vary from subtle data corruption in packages like “js-hood,” which sabotages core JavaScript methods (Array.prototype.filter, String.prototype.split) by returning random data, to aggressive file deletion in “vite-plugin-bomb,” which wipes out Vue.js components using cross-platform tools like rimraf.

Others, such as “quill-image-downloader,” execute advanced client-side attacks by corrupting browser storage mechanisms like localStorage, sessionStorage, and cookies, breaking authentication tokens and user data while evading immediate detection.

Attacks Threaten JavaScript Ecosystem

What makes this campaign particularly insidious is its technical design and concealment tactics.

Many packages use timed activation, triggering destructive behavior on specific dates (some as early as June 2023, others extending into 2024), while employing randomized execution intervals of 1 second to 10 minutes to dodge debugging efforts.

Minified code and robust error handling via try/catch blocks further obscure their malicious intent.

Dynamic path resolution ensures attacks succeed regardless of installation location, though some, like “js-bomb,” reveal flaws Linux-style “rm -rf” commands fail on Windows paths, limiting their file deletion impact to system shutdowns.

Despite such gaps, the persistent nature of certain phases, especially in “js-bomb” and “vue-plugin-bomb” with no end date for their final attack stages, means they remain a live threat in 2025, capable of forcing system shutdowns with just a 5-second warning.

Organizations are urged to audit dependencies, restore environments from trusted sources, rotate credentials, and leverage tools like Socket’s AI Scanner to detect such supply chain risks in real-time.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!