Warning: Malicious npm Packages Targeting React, Vue, Vite with Destructive Payloads

Researchers at Socket have uncovered over 60 malicious packages in the npm registry that covertly harvest data from user devices—collecting hostnames, IP addresses, DNS configurations, and user directory paths. This information is exfiltrated to attackers via Discord webhooks. The libraries were published through three accounts, all of which have since been removed from the platform, and were collectively downloaded more than 3,000 times.

Installation involves a script embedded within the package, which is triggered during the execution of npm install. This script runs across Windows, macOS, and Linux systems, checking for virtualized environments hosted on platforms such as Amazon, Google, and others. Build systems, CI/CD pipelines, and developer workstations using these packages can become reconnaissance footholds for subsequent attacks.

Simultaneously, researchers identified another wave of malicious activity involving eight npm packages disguised as useful modules for React, Vue.js, Vite, and Quill Editor. In reality, these packages execute destructive payloads—deleting project files, corrupting JavaScript methods, and damaging browser storage data. Some variants activate upon the first function call and, in certain cases, can even shut down the system based on the time of execution.

The perpetrators employ sophisticated obfuscation techniques—many of the malicious packages exhibit genuine functionality, which masks their underlying intent. The group behind the campaign, operating under the alias xuxingfeng, has been active since at least 2023, with some of the harmful libraries dating back to that year.

This reflects a growing trend: attackers increasingly adopt strategies drawn from social engineering, crafting the illusion of legitimate activity and embedding malicious code subtly, hidden between the lines. Such tactics not only hinder detection but also erode trust within the open-source ecosystem, where reliance on shared tools becomes a potential point of exploitation.

In light of these incidents, one truth becomes abundantly clear: build automation demands the same level of scrutiny as the code itself. Without rigorous vetting, even a single dependency can become a Trojan horse in disguise.