A fresh wave of software supply chain attacks has emerged, targeting developers through malicious npm and VS Code packages designed to harvest sensitive system data and compromise development environments. These packages are quietly weaponizing the tools developers trust most—open-source libraries and extensions—to steal data, deploy malware, and plant destructive payloads.
In the latest findings from Socket security researchers, at least 60 npm packages have been identified with built-in scripts that execute during installation, targeting Windows, macOS, and Linux environments. These install-time scripts collect hostnames, IP addresses, user directory paths, and DNS server information, then send it all to a Discord-controlled webhook. This type of fingerprinting turns compromised developer machines or continuous integration (CI) nodes into reconnaissance assets for future attacks.
The packages, published under three now-deleted npm accounts—bbbb335656, cdsfdfafd1232436437, and sdsds656565—had been downloaded over 3,000 times before being removed. Their scripts also include sandbox evasion techniques to avoid detection, especially in cloud environments like those from Amazon and Google.
Masquerading as Plugins, Hiding Destruction
The attack doesn’t stop there. Another batch of eight malicious npm packages posed as helpful plugins for popular JavaScript frameworks like React, Vue.js, Vite, and Quill Editor. In reality, they carried destructive code capable of deleting files, corrupting JavaScript methods, and tampering with browser storage mechanisms.
Names like vite-plugin-vue-extend, js-bomb, and vue-plugin-bomb hid explosive behavior beneath seemingly harmless utilities. Some triggered system crashes or recursive file deletion simply by being imported. The malicious package js-bomb, for example, could even initiate a system shutdown based on the time of execution.
Researchers discovered that some attackers, like the one behind the alias “xuxingfeng,” use a hybrid strategy: publishing legitimate npm libraries alongside harmful ones. This tactic builds false credibility, increasing the chances that malicious packages go unnoticed and are trusted by unsuspecting developers.
From npm to Phishing: Attacks Grow More Sophisticated
This trend of abusing developer ecosystems doesn’t end with code corruption. A separate campaign tied phishing tactics to npm payloads. In one case, a phishing email sent with a malicious .HTM file launched JavaScript code from a now-removed package (citiycar8) hosted on jsDelivr. Once installed, the code initiated a chain of redirects that led victims to a fake Office 365 login page tailored with their email—designed to steal credentials.
The phishing campaign showed high sophistication, combining AES encryption, CDN hosting, and multilayered redirects to obscure the final malicious destination. According to Fortra researchers, these attacks reflect an evolving landscape where attackers use every tool available—open-source repositories, phishing lures, and obfuscated code—to evade detection and steal valuable credentials.
VS Code Marketplace Hit with Wallet-Stealing Extensions
The threat has also spread to the Visual Studio Code (VS Code) ecosystem. Security analysts at Datadog uncovered three malicious VS Code extensions—solaibot, among-eth, and blankebesxstnion—that appeared to offer legitimate Solidity development features but were built to exfiltrate cryptocurrency wallet data.
Once installed, these extensions delivered multi-stage malware, including a malicious browser extension capable of draining Ethereum wallets. Some payloads were even hidden within image files hosted on platforms like the Internet Archive. The extensions also installed executables that disabled Windows Defender, searched application folders for Discord and crypto wallets, and fetched additional payloads from remote servers.
All three extensions have since been removed, but the threat actor—tracked as MUT-9332—remains active. This same group has been linked to a broader campaign that deployed ten additional malicious VS Code extensions, some pretending to be AI and coding utilities, to covertly install XMRig cryptominers.
Security experts warn that such actors may pivot strategies now that their tools have been exposed, likely releasing a new wave of disguised packages to continue their exploitation of developer trust.
