Cybersecurity Warning: 3,000 Downloads Hide Malicious Code Stealing Data
By 813 Staff
A closely watched product launch reveals Cybersecurity Warning: 3,000 Downloads Hide Malicious Code Stealing Data, according to The Hacker News (@TheHackersNews) (in the last 24 hours).
Source: https://x.com/TheHackersNews/status/2056298318662451507
Privately, security researchers are calling this one sloppy but effective. Engineers who track open-source supply chain attacks tell me these four npm packages weren’t particularly sophisticated—they didn’t need to be. The malicious code was designed to fly under the radar of automated scanners, not to evade manual review. And it worked. According to a report shared by *The Hacker News* (@TheHackerNews), the packages collectively accumulated 3,006 downloads before being flagged and removed from the npm registry. The discovery, made public on May 18, 2026, adds to a growing body of evidence that software supply chain attacks remain one of the most reliable vectors for initial access.
The packages in question were identified by independent security analysts who monitor the npm ecosystem for suspicious behavior. Internal documents from the response team show that the payloads were infostealers—malware specifically engineered to exfiltrate credentials, browser cookies, and environment variables from developer workstations and CI/CD pipelines. The targeting is precise: these packages were named to resemble legitimate dependencies or commonly used utility libraries, a tactic known as typosquatting. The attackers bet on developers mistyping a package name during `npm install`, and in hundreds of cases, the bet paid off. The 3,006 downloads represent real infections across development environments, many of which likely belong to small-to-midsize tech firms that lack rigorous dependency review processes.
The rollout, however, has been anything but smooth for the attackers. Once the packages were publicly identified, npm’s security team moved quickly to takedown the offending entries. But the damage is already done. Infostealers historically operate in bursts—they exfiltrate data within hours of installation—so the window for credential harvesting has likely closed. What remains uncertain is whether the stolen credentials have already been used to pivot into corporate networks or cloud infrastructure. The analysts I’ve spoken with are still tracing the command-and-control infrastructure tied to the payloads, and results are not yet public.
For now, the critical takeaway is this: every developer who ran `npm audit` in the past week should double-check their active dependencies. The npm registry processes billions of downloads monthly, and a few thousand malicious installations can seed significant damage. Expect additional advisories from npm’s security team in the coming days, as investigators continue reverse-engineering the full scope of the campaign. Until then, treat any unknown dependency as a liability.
Source: https://x.com/TheHackersNews/status/2056298318662451507
