A silent and sophisticated attack is underway in the JavaScript ecosystem, and your codebase might already be compromised. Security firm Socket has uncovered a stealthy campaign targeting developers and enterprise teams via NPM, where 60 malicious npm packages have been uploaded to quietly steal sensitive system information.
The attack spans Windows, Linux, and macOS systems and has already impacted thousands. If you’ve installed new dependencies recently, you may want to double-check what else came with them.
How the Attack Works: Post-Install Traps and Discord Data Exfiltration
At the heart of this campaign is a malicious script embedded in each NPM package. Once a developer installs the package, the script executes automatically and collects a range of system details — including hostnames, internal and external IP addresses, DNS server lists, usernames, and local directory paths. All this data is quietly exfiltrated to a Discord webhook controlled by the attacker.
Socket says the threat actor cleverly included lightweight sandbox-evasion techniques to avoid detection and specifically designed the script to fingerprint any system that builds or installs the package. This gives the attacker a detailed blueprint of both developer environments and enterprise networks — an ideal launching pad for future intrusions or supply chain attacks.
The packages, still live on NPM as of this writing, have already been downloaded over 3,000 times. Socket has urgently petitioned for their removal but warns that unless swift action is taken, more malicious uploads may follow.
The Risk: Enterprise Mapping and Potential Supply Chain Compromise
Socket’s advisory makes it clear: this campaign does more than steal data. It connects private developer environments to public infrastructure by linking internal network details with external-facing elements. That kind of visibility can be devastating, allowing attackers to identify high-value targets, pivot between systems, and even trace internal build processes or private registry URLs.
The three known NPM accounts behind the attack — bbbb335656, cdsfdfafd1232436437, and sdsds656565 — each uploaded 20 malicious packages containing the same post-install script. All collected data routes to a single Discord webhook, providing the attacker with a growing, real-time network intelligence feed.
Socket urges developers to audit their dependencies immediately and watch for red flags like unusually small tarball sizes, hardcoded post-install URLs, and suspicious scripts hidden in new packages.
If your team uses NPM, now is the time to act. Use dependency scanning tools to detect suspicious behavior and isolate affected projects before deeper damage is done. The integrity of your supply chain depends on it.
