(520) 462-0516

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

Reconnaissance Campaign Active on NPM Repository

[3rd Party Risk Management](https://www.govinfosecurity.com/3rd-party-risk-management-c-434) , [Governance -& Risk Management](https://www.govinfosecurity.com/governance-risk-management-c-93)Reconnaissance Campaign Active on NPM Repository================================================Malicious Packages Hide Scripts for Mapping Enterprise Networks [Prajeet Nair](https://www.govinfosecurity.com/authors/prajeet-nair-i-3483) ([@prajeetspeaks](https://www.twitter.com/@prajeetspeaks)) • May 24, 2025 [](https://www.bankinfosecurity.com/reconnaissance-campaign-active-on-npm-repository-a-28475#disqus_thread) * * * * * [Credit Eligible](/premium/pricing ‘As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking.’)* [](/premium/pricing ‘As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking.’)* Get Permission* ![Reconnaissance Campaign Active on NPM Repository](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/reconnaissance-campaign-active-on-npm-repository-showcase_image-2-a-28475.jpg) Image: ShutterstockA hacking campaign is spreading malicious reconnaissance scripts already downloaded more than 3,000 times from the JavaScript runtime environment npm repository, warn researchers.**See Also:** [Prisma Access Browser: An Integral Part of SASE](https://www.govinfosecurity.com/whitepapers/prisma-access-browser-integral-part-sase-w-15064?rf=RAM_SeeAlso)Researchers from Socket’s Threat Research Team [identified](https://socket.dev/blog/60-malicious-npm-packages-leak-network-and-host-data) 60 npm packages carrying a ‘small install-time script’ that exfiltrates data such as hostnames, IP addresses, DNS configurations, usernames and project paths.Whoever is behind the campaign has ‘a growing map of developer and enterprise networks that can guide future intrusions,’ Socket said Thursday.The reconnaissance script is likely a harbinger of worse things to come. Because the npm registry ‘offers no guardrails for post-install hooks, expect new throwaway accounts, fresh packages, alternative exfiltration endpoints, and perhaps larger payloads once a target list is complete,’ Socket warned.The npm repository is a recurring source of malicious packages that take advantage of careless coding practices. Socket only days earlier [spotted](https://socket.dev/blog/malicious-npm-packages-target-react-vue-and-vite-ecosystems-with-destructive-payloads) a collection of malicious packages for widely-used JavaScript frameworks that went undetected for more than two years, accumulating more than 6,200 downloads. The software supply chain firm in April detected North Korean hackers spreading the BeaverTail infostealer through 11 npm packages masquerading as utilities for array validation, logging and debugging (see: [*Lazarus Expands NPM Campaign With Trojan Loaders*](/lazarus-expands-npm-campaign-trojan-loaders-a-27943)).The first malicious package in this campaign emerged only two weeks ago, with a new package appearing on the repository only hours before Socket went public. ‘The script targets Windows, macOS or Linux systems, and includes basic sandbox-evasion checks, making every infected workstation or continuous-integration node a potential source of valuable reconnaissance,’ Socket wrote.Install-time scripts, also known as post-install scripts, automatically run after a npm package is installed on a system. Each package was published under one of three npm accounts: `bbbb335656`, `cdsfdfafd1232436437` and `sdsds656565`, with each account distributing 20 identical packages containing the reconnaissance script.The packages, including `seatable`, `datamart` and `seamless-sppmy`, all feature the same JavaScript logic for network and host fingerprinting.Socket reported the packages to the npm registry but said they remain live. As of Saturday, they appear to no longer be active.Socket recommended developers to scan for post-install hooks, hardcoded URLs and unusually small package sizes. ![Prajeet Nair](https://6d63d49ccb7c52435540-5070aa97eaa2b8df4eb5a91600e69901.ssl.cf1.rackcdn.com/prajeet-nair-largeImage-5-a-3483.jpg) #### [Prajeet Nair](https://www.govinfosecurity.com/authors/prajeet-nair-i-3483)*Assistant Editor, Global News Desk, ISMG* Prajeet Nair is a seasoned cybersecurity journalist with over a decade of experience covering cybersecurity and OT developments in the US and the Asia-Pacific region. As an editor, he has interviewed key decision-makers, including CISOs, CIOs, regulators and law enforcement leaders. Before joining ISMG, Prajeet held editorial roles at The New Indian Express, TechCircle, IDG and the Times Group. He is currently based in Bengaluru, India.[](https://twitter.com/@prajeetspeaks) [](mailto:pnair@ismg.io) ![Your Guide to Threat Hunting for Effective Risk Management](https://dbac8a2e962120c65098-4d6abce208e5e17c2085b466b98c2083.ssl.cf1.rackcdn.com/your-guide-to-threat-hunting-for-effective-risk-management-pdf-9-w-14900.jpg) [whitepaper](https://www.govinfosecurity.com/whitepapers/your-guide-to-threat-hunting-for-effective-risk-management-w-14900?rf=RAM_Resources)##### [Your Guide to Threat Hunting for Effective Risk Management](https://www.govinfosecurity.com/whitepapers/your-guide-to-threat-hunting-for-effective-risk-management-w-14900?rf=RAM_Resources)![OnDemand | Get Off the Assessment Treadmill. Take a Data-First, Questionnaire-Second Approach to TPRM](https://75d03c5f1bfbbbb9cc13-369a671ebb934b49b239e372822005c5.ssl.cf1.rackcdn.com/live-webinar-get-off-assessment-treadmill-take-data-first-questionnaire-second-approach-to-tprm-landing_page_image-3-w-6151.jpg) ##### [OnDemand -| Get Off the Assessment Treadmill. Take a Data-First, Questionnaire-Second Approach to TPRM](https://www.govinfosecurity.com/webinars/ondemand-get-off-assessment-treadmill-take-data-first-questionnaire-w-6151?rf=RAM_Resources)![OnDemand | How to Build Cyber Resilience with Proactive Incident Response Strategies](https://75d03c5f1bfbbbb9cc13-369a671ebb934b49b239e372822005c5.ssl.cf1.rackcdn.com/live-webinar-navigating-emerging-threats-strengthening-incident-response-capabilities-landing_page_image-2-w-5935.jpg) ##### [OnDemand -| How to Build Cyber Resilience with Proactive Incident Response Strategies](https://www.govinfosecurity.com/webinars/ondemand-how-to-build-cyber-resilience-proactive-incident-response-w-6013?rf=RAM_Resources)![Deploying Third-Party Management to Navigate Risk Across Industries](https://dbac8a2e962120c65098-4d6abce208e5e17c2085b466b98c2083.ssl.cf1.rackcdn.com/deploying-third-party-management-to-navigate-risk-across-industries-pdf-5-w-14533.jpg) [whitepaper](https://www.govinfosecurity.com/whitepapers/deploying-third-party-management-to-navigate-risk-across-industries-w-14533?rf=RAM_Resources)##### [Deploying Third-Party Management to Navigate Risk Across Industries](https://www.govinfosecurity.com/whitepapers/deploying-third-party-management-to-navigate-risk-across-industries-w-14533?rf=RAM_Resources)![The Complete Guide to Third-Party Management](https://dbac8a2e962120c65098-4d6abce208e5e17c2085b466b98c2083.ssl.cf1.rackcdn.com/complete-guide-to-third-party-management-pdf-4-w-14534.jpg) [whitepaper](https://www.govinfosecurity.com/whitepapers/complete-guide-to-third-party-management-w-14534?rf=RAM_Resources)##### [The Complete Guide to Third-Party Management](https://www.govinfosecurity.com/whitepapers/complete-guide-to-third-party-management-w-14534?rf=RAM_Resources)![](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/no-image-temp.jpg) [3rd Party Risk Management](https://www.govinfosecurity.com/3rd-party-risk-management-c-434)##### [Reconnaissance Campaign Active on NPM Repository](https://www.govinfosecurity.com/reconnaissance-campaign-active-on-npm-repository-a-28475)![](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/police-tout-darknet-global-takedown-operation-raptor-image_large-6-a-28474.jpg) [Cybercrime](https://www.govinfosecurity.com/cybercrime-c-416)##### [Police Tout Darknet Global Takedown ‘Operation RapTor’](https://www.govinfosecurity.com/police-tout-darknet-global-takedown-operation-raptor-a-28474)![](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/uk-legal-aid-agency-hack-imperils-representation-showcase_image-3-a-28473.jpg) [Data Security](https://www.govinfosecurity.com/data-security-c-934)##### [UK Legal Aid Agency Hack Imperils Representation](https://www.govinfosecurity.com/uk-legal-aid-agency-hack-imperils-representation-a-28473)![](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/cognyte-adds-groupsense-in-4m-threat-intelligence-deal-showcase_image-2-a-28472.jpg) [Next-Generation Technologies -& Secure Development](https://www.govinfosecurity.com/next-generation-technologies-secure-development-c-467)##### [Cognyte Adds GroupSense in $4M Threat Intelligence Deal](https://www.govinfosecurity.com/cognyte-adds-groupsense-in-4m-threat-intelligence-deal-a-28472)![](https://130e178e8f8ba617604b-8aedd782b7d22cfe0d1146da69a52436.ssl.cf1.rackcdn.com/nc-pathology-practice-notifying-236000-data-theft-hack-image_large-5-a-28471.jpg) [Fraud Management -& Cybercrime](https://www.govinfosecurity.com/fraud-management-cybercrime-c-409)##### [NC Pathology Practice Notifying 236,000 of Data Theft Hack](https://www.govinfosecurity.com/nc-pathology-practice-notifying-236000-data-theft-hack-a-28471)[Overview](https://www.govinfosecurity.com/webinars/risk-management-framework-learn-from-nist-w-255) * Twitter* Facebook* LinkedIn* * * From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to:* Understand the current cyber threats to all public and private sector organizations;* Develop a multi-tiered risk management approach built upon governance, processes and information systems;* Implement NIST’s risk management framework, from defining risks to selecting, implementing and monitoring information security controls.Presented By————![Ron Ross](https://6d63d49ccb7c52435540-5070aa97eaa2b8df4eb5a91600e69901.ssl.cf1.rackcdn.com/ron-ross-smallImage-a-558.jpg) [Presented By](/authors/ron-ross-i-558)—————————————#### [Ron Ross](/authors/ron-ross-i-558)*Sr. Computer Scientist -& Information Security Researcher, National Institute of Standards and Technology (NIST)*

Related Tags:
NAICS: 334 – Computer And Electronic Product Manufacturing

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 33 – Manufacturing – Metal

Electronics And Other

NAICS: 51 – Information

Blog: GovInfoSecurity

Phishing: Spearphishing Attachment

Phishing

Event Triggered Execution: Installer Packages

Associated Indicators:
null

Search

Popular Posts

Categories

Pages

Archives

Tags

Follow Us