Read more on our blog: socket.dev/blog/malicio... and socket.dev/blog/two-mal...

Given an ongoing PyPI phishing campaign that continues to target users with new domains through legitimate-looking emails requesting "email verification" that actually steal credentials, we are on the lookout for any compromised packages in the PyPI ecosystem specifically.

Two malicious Rust crates (faster_log and async_println) impersonated the popular fast_log library to steal Solana and Ethereum wallet keys from source code. Downloaded 8,424 times before removal, these packages scanned developer files for private keys and exfiltrated them to a C2 server.

QR Code Steganography in npm: We discovered fezbox, a malicious npm package using an innovative steganographic technique for obfuscation - hiding malware inside a QR code! The package fetches a QR code from a remote URL and executes code hidden within it to steal browser credentials.

Read the full blog post here: blog.stdlib.io/reflection-o...

We found hidden functionality in 28+ npm packages that disables UI for Russian-language users visiting .ru or .by domains. No CVEs. No advisories. No documentation. Just behavior-based disruption quietly copied into packages and shipped to production.
Read more: socket.dev/blog/protest...

The latest North Korean "Contagious Interview" wave includes 67 new malicious packages with a previously unknown malware loader, accumulating over 17,000 downloads.
Read more on out blog: socket.dev/blog/contagi...

These packages, disguised as "the cheapest Cursor API," install backdoors that steal credentials and modify crucial files. sw-cur, sw-cur1, and aiide-cur have been downloaded 3,200+ times before discovery.
Read about them on the Socket blog:
socket.dev/blog/malicio...

🚨 With vibe coding being on everyone's minds and AI code generations seemingly becoming ubiquitous, it is not surprising that this attracts also malicious actors. Kirill Boychenko uncovered three malicious npm packages targeting Cursor users on macOS.

The attack was comprised of three malicious modules with hidden destructive code, using array-based string obfuscation and dynamic payload execution, targeting Linux servers and dev environments.

Check our full technical analysis and protection tips:

socket.dev/blog/wget-to...

#CyberSecurity

The threat actor started publishing these packages in 2021, consistently employing comparable strategies while remaining undetected.

Full technical analysis here:
socket.dev/blog/using-t...

These packages use embedded credentials to connect to Gmail's SMTP server, relay signals to emails under the control of attackers, and initiate WebSocket connections that can bypass firewalls since the connection starts from within the network.

Remember: If any code asks for your seed phrase, there's no salvation - it's not a feature, it's a scam.
Here's the complete write-up: socket.dev/blog/malicio...

With over 8,000 combined downloads, these digital highwaymen use Google Analytics and Telegram for exfiltration - truly where the wild roses grow.
While Socket is celebrating our launch week and Coana acquisition, the bad actors never take a break.

What makes these attacks concerning is that they

target business-critical workflows
use sophisticated disguises that implement legitimate functionality
execute at specific runtime events, not installation

The malicious packages have been reported and are meanwhile removed from the npm registry.

The second attack involves an npm package disguised as an Advcash payment integration that triggers a reverse shell during payment success callbacks, allowing attackers to gain control of servers processing transactions.

Read more about it here: socket.dev/blog/npm-pac...

Read the full analysis on the Socket blog: socket.dev/blog/npm-mal...

The first attack targets Telegram bot developers with typosquatted packages (node-telegram-utils, node-telegram-bots-api, node-telegram-util) that install persistent SSH backdoors on Linux machines, masquerading as the legitimate node-telegram-bot-api library (4.17M+ downloads).