An unknown threat actor has developed a way to make malicious npm packages that let them steal source code and configuration files from victim machines, a sign of how threats lurk consistently in open-source repositories.
Since then, they have continuously published malicious packages.
The packages, by design, are configured to execute immediately post-installation.
According to the security researcher Yehuda Gelb, the cryptocurrency sector remains a hot target, and it’s important to recognize that we’re not just grappling with malicious packages, but also persistent adversaries whose continuous and meticulously planned attacks date back months or even years.
Node.js provides a preinstall hook that triggers the launch of npm , which spawns index.js .
This file captures metadata and allows attackers to harvest source code as well as harvest specific directories.