Security researchers discover 15 malicious npm packages with 47,000+ combined weekly downloads. Packages mimic popular libraries to steal 자격 증명s, inject 백도어s, and exfiltrate environment variables.
Socket Security researchers have identified 15 malicious packages in the npm registry that collectively accumulated over 47,000 weekly downloads before detection. The packages used typosquatting and dependency confusion techniques to infiltrate development pipelines.
귀하의 것을 확인하세요 package.json and package-lock.json for the affected packages listed below. Remove and rotate all 자격 증명s if any match is found.
| Package Name | Mimics | Weekly Downloads | Payload |
|---|---|---|---|
axois | axios | 12,400 | 자격 증명 탈취 |
react-dom-utils | react-dom | 8,200 | Backdoor injection |
lodash-utils-2 | lodash | 6,800 | Env var exfiltration |
express-sessoin | express-session | 4,100 | Session hijacking |
dotenv-expand-cli | dotenv-expand | 3,900 | Secret theft |
webpack-dev-srv | webpack-dev-server | 2,800 | Reverse shell |
6 of 15 packages shown. Full list available in KENSAI's threat intelligence feed.
Attackers register package names that are common misspellings of popular libraries. A single character difference — axois vs axios — is enough to catch developers in a hurry.
Some packages used internal-sounding names (e.g., @company-internal/auth-utils) to 익스플로잇 organizations that mix public and private npm registries without proper scoping.
All 15 packages execute malicious code during npm install via postinstall scripts. The 페이로드s are obfuscated using Base64 encoding, string concatenation, and dynamic eval() calls.
node_modules files that survive reinstallsnpm audit and check for typosquatting variantspackage-lock.json and verify integrity hashes@your-org/ scoped internal packagesAI-powered 취약점 management with 331,910+ CVEs indexed.
Start Free Trial안전하게. 경계하며.
🗡️ KENSAI 보안팀