In the form of harmless plugins and utilities, malicious package is made to wipe corrupt data, important files and crash systems to the destructive payload. Since his upload, he has downloaded over 6200, avoid detection and unheard developers slip into the atmosphere.
“The actor behind this campaign using NPM surname Xuxingfeng 1634389031@QQ (.) Com, with a registration email, published eight packages designed to cause widespread damage in the JavaScript ecosystem, ”Soucker’s researcher Kush Pandya said in a blog. Post“In particular, the same account has also published many valid, non-ballic packages that act as advertising.”
Earlier this month, hackers were targeted with typo-scvated packages to target multi-language developers while misusing NPMs, including theft and RCE code. Boychenko advised to implement standard hygiene while managing dependence from NPM. In addition to strengthening the development pipeline with automated safety check, he recommended the use of dependence-scanning tools, post-installed hooks, hardcode URLs and unusually small tars archives.
