Fortinet Labs Uncovers Series of Malicious NPM Packages Stealing Data

FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing Data

There are over 17 million developers worldwide who use NPM packages, making it a lucrative target for cybercriminals.

FortiGuard Labs has identified nine sets of malicious NPM packages, each with its own unique style of code.

FortiGuard Labs has uncovered a series of malicious packages concealed within NPM (Node Package Manager), the primary software repository for JavaScript developers. The researchers utilized a dedicated system designed to detect nefarious open-source packages across multiple ecosystems, including PyPI and NPM.

In this article, we delve into the world of these malicious packages, categorizing them based on their coding patterns and functionalities.

Malicious NPM Packages That Steal Sensitive Data

These malicious NPM packages steal sensitive data, such as system information, user credentials, and source code. The packages use install scripts to exfiltrate data to webhooks or file-sharing links.

The packages were found using a system dedicated to discovering malicious open-source packages. Fortinet has identified nine sets of malicious packages, each with its own unique style of code.

Most of these malicious packages employ install scripts that execute either before or after installation. When an NPM package is installed, these scripts are activated, opening the door to potential threats. Some of the most common techniques used by the malicious packages include:

  • Using install scripts to exfiltrate data to webhooks or file-sharing links.
  • Scanning for sensitive files and directories, such as source code and configuration files.
  • Downloading and executing malicious executable files.

Let’s take a closer look at these malicious packages and their intentions.

The First Set: Unveiling the Hidden Agenda

The initial group of packages hides an obfuscated index.js script. Despite the obfuscation, sharp eyes can detect suspicious strings that raise red flags. Upon further investigation, it becomes evident that these packages aim to extract sensitive data, including Kubernetes configurations, SSH keys, and other vital information, all without any prior notification.

The Second Set: On the Prowl for Valuable Data

The packages in the second set operate by initiating an HTTP GET request to a specified URL, complete with query parameters. They precisely scan for files and directories that may house sensitive information.

This script goes as far as permitting the unauthorized extraction of critical developer data, including source code and configuration files. Such files often contain valuable intellectual property and sensitive credentials, which are then archived and uploaded to an FTP server.

The Third Set: A Discord Webhook Heist

In this set, the index.mjs install script utilizes a Discord webhook to exfiltrate sensitive information, such as system details, usernames, and folder contents.

The Fourth Set: A Different Approach to Data Theft

Similar to the third set, these packages also rely on an index.mjs install script and a Discord webhook to steal sensitive data. However, they employ a distinct coding style for their mischievous activities.

The Fifth Set: Targeting User Information

This fifth set leverages an index.js install script to siphon off host and username information, as well as the contents of home directories, using a webhook.

The Sixth Set: A Common Style of Attack

This set, which is the most prevalent among the discovered packages, employs yet another index.js install script to extract sensitive information.

The Seventh Set: A Vulnerable Connection

According to FortiGuard Labs’ report, in this set, the packages utilize an installer.js install script to carry out the attack. However, a notable vulnerability exists as the ‘NODE_TLS_REJECT_UNAUTHORIZED’ environment variable is set to ‘0,’ effectively disabling TLS certificate validation and potentially rendering the connection insecure and susceptible to man-in-the-middle (MITM) attacks.

The Eighth Set: Automatic Execution of Suspicious Files

This package goes to the extreme by automatically downloading and executing a potentially malicious executable file from a specified URL to the C:/ directory.

The Ninth Set: Gathering Victim Information

This package adopts a different scripting style to collect system information, including the victim’s public IP address, subsequently transmitting this data to a Discord webhook.


Fortinet has released signatures for its FortiGuard AntiVirus service to detect the malicious files identified in this report. The FortiGuard Web Filtering Service also detects and blocks the download URLs cited in this report.

The company also recommends that users take the following steps to protect themselves from these malicious packages:

  • Keep your NPM packages up to date.
  • Use a trusted package manager.
  • Scan your projects for malicious dependencies.
  • Be wary of packages with unusual install scripts or behaviour

Conclusion: Vigilance Is Key

The discovery of these malicious NPM packages is a reminder of the importance of vigilance when using open-source software. Organizations should take steps to protect themselves from these threats, such as keeping their NPM packages up to date, using a trusted package manager, scanning their projects for malicious dependencies, and being wary of packages with unusual install scripts or behaviour.

  1. 6 official Python repositories plagued with cryptomining malware
  2. CISA warns of trojanized versions of JavaScript library’s NPM package
  3. VMCONNECT: Malicious PyPI Package Mimicking Common Python Tools
  4. Crypto Discord Communities Targeted by Malicious Bookmarks & JavaScript
Related Posts