Hundreds of malware-laden fake npm packages have been posted online to trick developers


  • Criminals add hundreds of malicious packages to npm
  • The packets attempt to retrieve a phase-two payload to infect the machines
  • The crooks went out of their way to hide where they hosted the malware

Software developers, especially those working with cryptocurrencies, are once again facing a supply chain attack via open source code repositories.

Cybersecurity researchers at Phylum have warned that a threat actor has uploaded hundreds of malicious packages to the open source package repository npm. The packages are typed versions of Puppeteer and Bignum.js. Developers who need these packages for their products may end up accidentally downloading the wrong version because they all have the same name.