← Back to Security Blog
Security Briefing 7 min read

New Supply Chain Attack Targets npm Ecosystem — 15 Malicious Packages Found

Security researchers discover 15 malicious npm packages with 47,000+ combined weekly downloads. Packages mimic popular libraries to steal credentials, inject backdoors, and exfiltrate environment variables.


Attack Overview

Socket Security researchers have identified 15 malicious packages in the npm registry that collectively accumulated over 47,000 weekly downloads before detection. The packages used typosquatting and dependency confusion techniques to infiltrate development pipelines.

⚠️ Immediate Action Required

Check your package.json and package-lock.json for the affected packages listed below. Remove and rotate all credentials if any match is found.


Malicious Packages Identified

Package NameMimicsWeekly DownloadsPayload
axoisaxios12,400Credential theft
react-dom-utilsreact-dom8,200Backdoor injection
lodash-utils-2lodash6,800Env var exfiltration
express-sessoinexpress-session4,100Session hijacking
dotenv-expand-clidotenv-expand3,900Secret theft
webpack-dev-srvwebpack-dev-server2,800Reverse shell

6 of 15 packages shown. Full list available in KENSAI's threat intelligence feed.


Attack Techniques

Typosquatting

Attackers register package names that are common misspellings of popular libraries. A single character difference — axois vs axios — is enough to catch developers in a hurry.

Dependency Confusion

Some packages used internal-sounding names (e.g., @company-internal/auth-utils) to exploit organizations that mix public and private npm registries without proper scoping.

Postinstall Hooks

All 15 packages execute malicious code during npm install via postinstall scripts. The payloads are obfuscated using Base64 encoding, string concatenation, and dynamic eval() calls.


Impact Assessment


Remediation

  1. Audit dependencies: Run npm audit and check for typosquatting variants
  2. Lock files: Always commit package-lock.json and verify integrity hashes
  3. Use scoped packages: Configure npm to only allow @your-org/ scoped internal packages
  4. Rotate credentials: If any malicious package was installed, rotate ALL secrets immediately
  5. Enable npm audit signatures: Verify package provenance using npm's built-in signature verification

Protect Your Organization with Kensai

AI-powered vulnerability management with 331,910+ CVEs indexed.

Start Free Trial

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →