Supply Chain Attack Deploys Hundreds of Malicious NPM Modules to Steal Data

A widespread campaign uses more than 24 malicious NPM packages loaded with JavaScript obfuscators to steal form data from multiple sites and apps, analysts report.

A routine scan of the NPM open source code repository in April turned up several packages using a JavaScript obfuscator to hide their true function.
After further investigation, analysts with ReversingLabs reported they have uncovered a campaign dating back at least six months that used more than two dozen malicious NPM modules to steal data from sites and applications. All together, the team found that 27,000 instances of the malicious NPM packages had been downloaded.
While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands, of downstream mobile and desktop applications as well as websites, the ReversingLabs researchers explained in a blog post. In one case, a malicious package had been downloaded more than 17,000 times.
The attack relies on so-called
typo-squatting
, where threat actors disguise malicious code packages with names very close to legitimate ones, including subtle naming variations and common misspellings, the researchers said.
For instance, one of the malicious packages lurking in the NPM repository is named umbrellaks, an attempt to hijack developers looking for the popular document object model (DOM) framework umbrellajs, the ReversingLabs team added.
What makes this supply chain reminiscent of the
SolarWinds attack
, the analysts pointed out, is the fact that the target isnt the developer inadvertently using the malicious code but, rather, the target site or application further down the software supply chain.
This attack marks a significant escalation in software supply-chain attacks, according to the ReversingLabs
malicious NPM
report. Malicious code bundled within the NPM modules is running within an unknown number of mobile and desktop applications and web pages, harvesting untold amounts of user data.
Most of the malicious open source modules are still are still available, despite the analysts reporting their findings to NPM on July 1, they added. The report contains a list of affected packages.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Supply Chain Attack Deploys Hundreds of Malicious NPM Modules to Steal Data