Malicious npm Package
What is Malicious npm Package?
Malicious npm PackageAn npm package that contains hidden code designed to steal data, install malware, or compromise downstream applications when installed.
A malicious npm package abuses the trust JavaScript developers place in the public npm registry. Attackers publish brand-new packages, hijack abandoned ones, or compromise maintainer accounts to push tainted versions of widely used libraries. Common payloads include credential and token stealers, cryptocurrency wallet drainers, and droppers that execute on install via npm lifecycle scripts. High-profile cases include event-stream (2018), where a transferred maintainer injected a Bitcoin wallet stealer, and ua-parser-js (2021), whose compromised version installed crypto miners and password thieves on millions of machines. Mitigations include lockfiles, --ignore-scripts, two-factor authentication for maintainers, SBOMs, dependency scanners, and provenance attestation.
● Examples
- 01
event-stream 2018: a new maintainer added flatmap-stream to steal Copay wallet funds.
- 02
ua-parser-js 2021: hijacked versions installed a coin miner and a credential stealer.
● Frequently asked questions
What is Malicious npm Package?
An npm package that contains hidden code designed to steal data, install malware, or compromise downstream applications when installed. It belongs to the Attacks & Threats category of cybersecurity.
What does Malicious npm Package mean?
An npm package that contains hidden code designed to steal data, install malware, or compromise downstream applications when installed.
How does Malicious npm Package work?
A malicious npm package abuses the trust JavaScript developers place in the public npm registry. Attackers publish brand-new packages, hijack abandoned ones, or compromise maintainer accounts to push tainted versions of widely used libraries. Common payloads include credential and token stealers, cryptocurrency wallet drainers, and droppers that execute on install via npm lifecycle scripts. High-profile cases include event-stream (2018), where a transferred maintainer injected a Bitcoin wallet stealer, and ua-parser-js (2021), whose compromised version installed crypto miners and password thieves on millions of machines. Mitigations include lockfiles, --ignore-scripts, two-factor authentication for maintainers, SBOMs, dependency scanners, and provenance attestation.
How do you defend against Malicious npm Package?
Defences for Malicious npm Package typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Malicious npm Package?
Common alternative names include: Malicious package, Tainted npm release.
● Related terms
- attacks№ 1183
Typosquatted Package
A malicious open-source package published under a name that closely resembles a popular library so that developers install it by mistake.
- appsec№ 304
Dependency Confusion Attack
A supply-chain attack in which an adversary publishes a malicious package on a public registry with the same name as an organization's internal dependency, tricking build tools into pulling the public version.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- attacks№ 1097
Starjacking
A supply-chain trick where a malicious package falsely links to a popular GitHub repository so it appears to inherit that project's stars, forks, and credibility.
- attacks№ 868
Protestware
Open-source software whose maintainer adds politically motivated code that displays a message or sabotages users perceived to be in a targeted country.