A previously unknown threat actor has been discovered using malicious npm packages to target developers and steal source code and configuration files from their machines [1] [2] [3] [4]. This campaign has been ongoing since 2021 [3] [4], with the threat actor continuously publishing these malicious packages [3] [4].


The packages are designed to execute post-installation and exfiltrate valuable information to a remote server [3]. Each package consists of three files: package.json, preinstall.js [1], and index.js [1]. Upon installation [1], a post-install hook triggers the preinstall.js script [1], which then initiates the index.js script [1]. This script collects system information and sends it to a remote server [1]. The packages are associated with the cryptocurrency sector and are authored by “lexi2”.

The attack involves creating a ZIP archive of the stolen data and transmitting it to an FTP server [3]. Security researcher Yehuda Gelb emphasizes that these attacks are not isolated incidents [3] [4], but rather the work of persistent adversaries [3] [4]. Researchers stress the importance of sharing metadata and tracking attackers for ongoing monitoring and analysis to develop a more sophisticated strategy for protection against these threats.


The discovery of this threat highlights the need for enhanced software supply chain security. It is crucial for developers to remain vigilant and implement robust security measures to protect their source code and configuration files. Ongoing monitoring and analysis [1], along with sharing metadata and tracking attackers [1], are essential for developing a more sophisticated strategy to mitigate these threats. The report by the software supply chain security firm Checkmarx serves as a valuable resource in understanding and addressing this threat.


[1] https://siliconangle.com/2023/08/30/checkmarx-warns-unknown-threat-actor-targeting-developers-npm-packages/
[2] https://gixtools.net/2023/08/malicious-npm-packages-aim-to-target-developers-for-source-code-theft/
[3] https://thehackernews.com/2023/08/malicious-npm-packages-aim-to-target.html
[4] https://www.redpacketsecurity.com/malicious-npm-packages-aim-to-target-developers-for-source-code-theft/