Researchers have identified malicious software within the Node Package Manager (NPM) repository, which remained undetected for over two years. These malicious packages, which closely resemble genuine software, were downloaded over 6,200 times, indicating a significant threat to users. The malicious code is capable of corrupting vital information, causing system crashes, and implementing destructive actions such as file deletion. This discovery highlights the risks associated with open-source repositories, where the potential for hidden threats can persist for an extended period without being detected.
Kush Pandya, a researcher at the security firm Socket, has detailed the extent of the issue. According to his findings, the malicious packages were designed to target different parts of the JavaScript ecosystem using various tactics. Some of the payloads were scheduled for detonation on specific dates between June 2023 and August 2024, but several were left without any termination date, indicating a persistent threat. Pandya’s report emphasizes that developers who used these packages today would immediately trigger destructive payloads, including system shutdowns and the corruption of JavaScript prototypes.
The list of malicious packages includes js-bomb, js-hood, vite-plugin-bomb-extend, vite-plugin-bomb, vite-plugin-react-extend, vite-plugin-vue-extend, vue-plugin-bomb, and quill-image-downloader. The presence of these packages in a widely used repository underscores the importance of continuous monitoring and improved security measures within open-source communities. Pandya’s report serves as a warning that such threats could go unnoticed for extended periods, emphasizing the need for enhanced vigilance and proactive security practices.