← Back to Security Blog
보안 브리핑 7분 읽기

새로운 공급망 공격이 npm 생태계를 노린다 — 악성 패키지 15개 발견

Security researchers discover 15 malicious npm packages with 47,000+ combined weekly downloads. Packages mimic popular libraries to steal 자격 증명s, inject 백도어s, and exfiltrate environment variables.


공격 개요

Socket Security researchers have identified 15 malicious packages in the npm registry that collectively accumulated over 47,000 weekly downloads before detection. The packages used typosquatting and dependency confusion techniques to infiltrate development pipelines.

⚠️ Immediate Action Required

귀하의 것을 확인하세요 package.json and package-lock.json for the affected packages listed below. Remove and rotate all 자격 증명s if any match is found.


식별된 악성 패키지

Package NameMimicsWeekly DownloadsPayload
axoisaxios12,400자격 증명 탈취
react-dom-utilsreact-dom8,200Backdoor injection
lodash-utils-2lodash6,800Env var exfiltration
express-sessoinexpress-session4,100Session hijacking
dotenv-expand-clidotenv-expand3,900Secret theft
webpack-dev-srvwebpack-dev-server2,800Reverse shell

6 of 15 packages shown. Full list available in KENSAI's threat intelligence feed.


공격 기법

Typosquatting

Attackers register package names that are common misspellings of popular libraries. A single character difference — axois vs axios — is enough to catch developers in a hurry.

Dependency Confusion

Some packages used internal-sounding names (e.g., @company-internal/auth-utils) to 익스플로잇 organizations that mix public and private npm registries without proper scoping.

Postinstall Hooks

All 15 packages execute malicious code during npm install via postinstall scripts. The 페이로드s are obfuscated using Base64 encoding, string concatenation, and dynamic eval() calls.


영향 평가


복구 조치

  1. Audit dependencies: Run npm audit and check for typosquatting variants
  2. Lock files: Always commit package-lock.json and verify integrity hashes
  3. Use scoped packages: Configure npm to only allow @your-org/ scoped internal packages
  4. Rotate 자격 증명s: If any malicious package was installed, rotate ALL secrets immediately
  5. Enable npm audit signatures: Verify package provenance using npm's built-in signature verification

Protect Your Organization with Kensai

AI-powered 취약점 management with 331,910+ CVEs indexed.

Start Free Trial

안전하게. 경계하며.

🗡️ KENSAI 보안팀