Security experts are warning people who use NPM — a platform where developers share code — to be careful after finding several fake software packages that secretly collect information from users’ computers.
The cybersecurity company Socket found around 60 harmful packages uploaded to NPM starting mid-May. These were posted by three different accounts and looked like normal software, but once someone installed them, a hidden process ran automatically. This process collected private details such as the device name, internal IP address, the folder the user was working in, and even usernames and DNS settings. All of this was sent to attackers without the user knowing.
The script also checked whether it was running in a cloud service or a testing environment. This is likely how the attackers tried to avoid being caught by security tools.
Luckily, these packages didn’t install extra malware or try to take full control of users’ systems. There was no sign that they stayed active on the system after installation or tried to gain more access.
Still, these fake packages are dangerous. The attackers used a trick known as “typosquatting” — creating names that are nearly identical to real packages. For example, names like “react-xterm2” or “flipper-plugins” were designed to fool people who might type quickly and not notice the slight changes. The attackers appeared to be targeting software development pipelines used to build and test code automatically.
Content was cut in order to protect the source.Please visit the source for the rest of the article.