Researchers have uncovered a campaign involving malicious npm packages impersonating legitimate tools. These counterfeit packages, like @typescript_eslinter/eslint
and types-node
, have been downloaded thousands of times, compromising developers’ systems.
The fraudulent packages mimic popular libraries to gain trust. For example, @typescript_eslinter/eslint
uses a fake GitHub repository created in late November 2024. This library contains a file named prettier.bat
, designed to drop a Windows executable into the system’s startup folder. Consequently, the malicious program runs every time the system restarts.
Similarly, types-node
reaches out to a remote server to fetch additional scripts. These scripts deploy a fake executable named npm.exe
, further expanding the attack. Some downloads were likely boosted artificially to make the packages appear legitimate, fooling developers into trusting them.
The attack is not limited to npm packages. Malicious extensions also infiltrated the Visual Studio Code (VSCode) Marketplace in October 2024. These extensions targeted the crypto community before shifting to applications like Zoom. Examples include “Ethereum.SoliditySupport” and “ZoomWorkspace.Zoom.” Though removed now, the extensions contained obfuscated JavaScript code acting as a downloader for further payloads.
Reports highlight that the campaign’s sophistication increased over time. Attackers targeted developers by exploiting trust in open-source ecosystems and integrated development environments (IDEs). By inserting malicious code as a dependency, they introduced risks that could compromise broader development workflows.
Preventive Measures
To avoid such attacks, developers should thoroughly verify the source and legitimacy of npm packages and extensions before downloading. Using package management tools that scan for vulnerabilities adds another layer of protection. Organizations must enforce supply chain security protocols and educate developers on detecting suspicious dependencies. Regularly auditing dependencies and monitoring updates for malicious activity can significantly reduce risks.