Over 70 Malicious npm and VS Code Packages Found Stealing Data

In this video, we delve into the alarming discovery of over 70 malicious npm and Visual Studio Code packages that have been found to steal sensitive data and cryptocurrency credentials. Recently reported on May 26, 2025, these packages have raised significant concerns within the cybersecurity community, highlighting the evolving tactics of cybercriminals in exploiting open-source repositories.

What you’ll learn: We will explore the nature of these malicious packages, the timeline of their discovery, the impact on developers and organizations, and what steps can be taken to mitigate risks. Understanding these threats is crucial for anyone involved in software development, cybersecurity, or digital asset management.

The first wave of malicious npm packages, totaling around 60, was discovered to have functionalities designed to harvest sensitive information such as hostnames, IP addresses, and DNS servers. These packages were published under three different accounts and were collectively downloaded over 3,000 times. The malicious scripts embedded within these packages execute during installation, targeting various operating systems, and are designed to evade detection by recognizing if they are running in virtualized environments.

In addition to the npm packages, researchers uncovered eight more packages masquerading as legitimate JavaScript libraries, which, once installed, could execute destructive payloads. These packages have been downloaded more than 6,200 times and are still available in the repository. Their capabilities include corrupting files and crashing systems, showcasing the dual threat posed by seemingly innocuous software.

Another notable finding involves a sophisticated phishing attack that combines traditional email phishing techniques with malicious npm packages. This attack utilizes encrypted JavaScript code to redirect victims to a fake Office 365 login page, demonstrating the innovative methods cybercriminals employ to deceive users and capture sensitive credentials.

Furthermore, the threat landscape extends to Visual Studio Code, where malicious extensions targeting Solidity developers were identified. These extensions, while appearing to offer legitimate functionality, were designed to siphon cryptocurrency wallet credentials. The complexity of these attacks, involving multiple stages of obfuscated malware, emphasizes the need for heightened vigilance in the cybersecurity community.

In light of these incidents, it is essential for developers and organizations to remain proactive. Regularly auditing dependencies, utilizing security tools to scan for vulnerabilities, and educating teams about the risks associated with third-party packages are crucial steps to safeguard against such threats. As cybercriminals continue to evolve their tactics, staying informed and prepared is the best defense.

In summary, the recent discoveries of malicious npm and VS Code packages serve as a stark reminder of the vulnerabilities present in open-source ecosystems. By understanding these threats and implementing robust security measures, developers can better protect their projects and users from potential harm.