Security researchers discover 15 malicious npm packages with 47,000+ combined weekly downloads. Packages mimic popular libraries to steal credentials, inject backdoors, and exfiltrate environment variables.
Socket Security researchers have identified 15 malicious packages in the npm registry that collectively accumulated over 47,000 weekly downloads before detection. The packages used typosquatting and dependency confusion techniques to infiltrate development pipelines.
Check your package.json and package-lock.json for the affected packages listed below. Remove and rotate all credentials if any match is found.
| Package Name | Mimics | Weekly Downloads | Payload |
|---|---|---|---|
axois | axios | 12,400 | Credential theft |
react-dom-utils | react-dom | 8,200 | Backdoor injection |
lodash-utils-2 | lodash | 6,800 | Env var exfiltration |
express-sessoin | express-session | 4,100 | Session hijacking |
dotenv-expand-cli | dotenv-expand | 3,900 | Secret theft |
webpack-dev-srv | webpack-dev-server | 2,800 | Reverse shell |
6 of 15 packages shown. Full list available in KENSAI's threat intelligence feed.
Attackers register package names that are common misspellings of popular libraries. A single character difference — axois vs axios — is enough to catch developers in a hurry.
Some packages used internal-sounding names (e.g., @company-internal/auth-utils) to exploit organizations that mix public and private npm registries without proper scoping.
All 15 packages execute malicious code during npm install via postinstall scripts. The payloads are obfuscated using Base64 encoding, string concatenation, and dynamic eval() calls.
node_modules files that survive reinstallsnpm audit and check for typosquatting variantspackage-lock.json and verify integrity hashes@your-org/ scoped internal packagesAI-powered vulnerability management with 331,910+ CVEs indexed.
Start Free TrialStay secure. Stay vigilant.
🗡️ KENSAI Security Team