A fresh supply chain attack is quietly unfolding in the JavaScript ecosystem, and it’s already compromising developer environments and enterprise networks. Socket’s Threat Research Team has identified 60 malicious npm packages actively siphoning off sensitive host and network information during installation, leaving no trace except for a webhook ping to a Discord-controlled endpoint.
A quiet, targeted recon campaign
Unlike smash-and-grab malware that wreaks instant havoc, this campaign is surgical. Each package contains a post-install script that activates automatically during npm install. The script gathers internal and external IPs, hostnames, DNS server lists, and user directories, then exfiltrates everything to a hardcoded Discord webhook.
The exfiltration logic is nearly identical across all 60 packages, indicating a coordinated effort by a single threat actor. Socket’s telemetry suggests the attack has been live for at least eleven days, and the malicious packages have been downloaded more than 3,000 times, likely capturing data from countless developer machines and CI pipelines.
And yes, all 60 packages are still live on npm.
The malware’s blueprint
The script, found inside packages like seatable, datamart, and seamless-sppmy, is designed to stay under the radar. It checks for sandbox or virtual machine environments (like AWS, GCP, and known malware research setups) and bails if it detects them. This isn’t a proof-of-concept; it’s a real-world recon tool built to avoid detection and gather intel on real developer environments.
It collects:
- Internal & external IP addresses
- Hostnames and usernames
- DNS servers
- Directory paths (including home directories)
- Project and package details
On CI/CD servers, that could mean leaking internal registry URLs, build environments, and more, laying the groundwork for future supply chain attacks.
Who’s behind it?
Three npm accounts are responsible, each with 20 malicious packages:
- bbbb335656 (npm9960+1@gmail[.]com)
- sdsds656565 (npm9960+2@gmail[.]com)
- cdsfdfafd1232436437 (npm9960+3@gmail[.]com)
Packages include names like seatable, datamart, flipper-plugins, coral-web-be, arcademinigame, and more, none of which immediately raise red flags. That’s by design. The attacker is counting on low detection and wide install coverage.
Why this matters
This campaign doesn’t encrypt your files, install a backdoor, or steal secrets, yet. Instead, it builds a map of your network. It’s slow-burn reconnaissance: get in, gather intel, get out quietly.
That kind of data is gold for attackers. It links private dev environments to public-facing infrastructure, offering clues on where to strike next. It’s also a blueprint for supply chain infiltration, especially if the affected environments are trusted build systems.
And here’s the kicker: post-install scripts are still completely unregulated on npm. This means anyone can publish a package today that quietly runs arbitrary code on install, and as this campaign shows, it works.
What you can do now
This threat isn’t going away, and until the packages are pulled from npm, it’s open season for installs.
Here’s what defenders should do immediately:
- Scan dependencies for post-install hooks, hardcoded URLs, and unusually small tarballs.
- Avoid blindly trusting packages, especially lesser-known ones.
- Use tools like Socket’s GitHub app, CLI, or browser extension to flag risky patterns during installs or pull requests.
- Lock down CI environments and audit for unusual outbound connections.
This is also a call to npm and the wider JavaScript ecosystem: it’s time to put guardrails around post-install scripts. Until then, attackers will keep exploiting this loophole.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.