The Sonatype Security Research team has identified a concerning campaign on the npm registry involving 14 malicious npm packages [3]. These packages pose a significant security risk as they are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines. In this improved text, we will provide a detailed description of this ongoing campaign and its implications, as well as highlight the importance of taking necessary measures to protect sensitive information.


The identified malicious npm packages impersonate JavaScript libraries and components, utilizing obfuscated code to collect sensitive files [1] [2] [3] [4]. These packages have been reported to the npm registry admins and have been published in batches from different npm accounts [3]. It is worth noting that each package has scored no more than 200 downloads. A common factor among these accounts is the use of the domain [3].

The packages employ tactics of impersonating legitimate open source libraries and contain obfuscated code to collect sensitive information [3]. Previous versions of some packages even contained a plaintext version of the attack payload [3], confirming the attacker’s intentions [3]. Unauthorized access to a Kubernetes cluster could become problematic if the attacker were to exploit recently disclosed vulnerabilities [3].

Attribution of the campaign is made difficult by the fact that the domain is currently resolving to two Cloudflare IP addresses. Additionally, the use of Mandarin in comments within the packages is interesting but does not provide specific insight into the threat actor [3].

It is important to note that this discovery is not an isolated incident. Counterfeit npm packages have been previously reported, highlighting the ongoing threat to open-source registries [2]. Similar campaigns have also targeted the PyPI and RubyGems ecosystems, expanding their capabilities to include data collection and exfiltration.

Furthermore, these campaigns have now expanded to target Apple macOS users. The author of these packages is staging a broad campaign against software developers [2], although the end goal remains unclear [2].


The implications of this ongoing campaign are significant. Organizations utilizing Kubernetes configurations and SSH keys must be aware of the threat and take necessary measures to protect their sensitive information. Sonatype’s Repository Firewall and Lifecycle products can help block these types of malicious packages from reaching development builds [3].

The fact that these malicious npm packages are capable of harvesting system metadata, such as usernames [1], IP addresses [1] [3], and hostnames [1], further emphasizes the need for heightened cybersecurity measures.

As the campaigns targeting open-source registries continue to evolve and expand, it is crucial for organizations to stay vigilant and proactive in their efforts to safeguard their systems. The future implications of these campaigns remain uncertain, but it is clear that the threat landscape is constantly evolving, requiring ongoing attention and mitigation strategies.