Socket Security has published findings on a sustained supply chain attack campaign targeting the npm JavaScript package registry. The investigation identified 287 malicious packages that collectively accumulated over 4 million downloads before being flagged and removed by npm security teams.
Attack Methodology: Typosquatting and Dependency Confusion
The malicious packages employed two primary distribution strategies:
Typosquatting: Packages were named to closely resemble highly popular legitimate packages, exploiting common typing errors. Examples include lodahs (targeting lodash), reacct (targeting react), axois (targeting axios), and expresss (targeting express). Developers who make minor typos when running npm install can inadvertently install the malicious versions.
Dependency Confusion: Several packages exploited the npm registry's public/private resolution order. By publishing packages with names matching internal private packages used at large tech companies—discovered through job postings, GitHub repositories, and leaked package.json files—attackers caused CI/CD pipelines to download their malicious public package instead of the intended private one.
Malicious Payload Behavior
All 287 packages share a common payload structure, executing immediately at install time via npm's preinstall hook:
1. Credential harvesting: The payload reads all environment variables, specifically targeting AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, DATABASE_URL, GITHUB_TOKEN, and similar secrets
2. SSH key exfiltration: Reads and exfiltrates SSH private keys and known_hosts files
3. File system traversal: Walks the filesystem looking for .env files and package.json files
4. Persistence attempt: On macOS, attempts to install a LaunchAgent for persistence
All harvested data is exfiltrated to attacker-controlled servers via DNS-over-HTTPS (DoH) to bypass network-level egress filtering.
Affected Organizations
Socket's telemetry indicates the packages were installed at multiple Fortune 500 companies, several government contracting firms, and numerous startups. At least 12 organizations confirmed that live AWS credentials were exfiltrated and used to provision unauthorized cloud resources.
Protective Measures
Security teams should audit package.json and package-lock.json files against the published IOC list, rotate any credentials present in environments where npm installs occur, implement npm package integrity verification, and configure CI/CD environments to restrict environment variable access to only the steps that require them.