Malicious npm Packages Aim to Target Developers for Source Code Theft

Malicious npm Packages Aim to Target Developers for Source Code Theft

An unknown threat actor is leveraging malicious npm packages to target developers with an aim to steal source code and configuration files from victim machines, a sign of how threats lurk consistently in open-source repositories.

The latest report is a continuation of the same campaign that Phylum disclosed at the start of the month in which a number of npm modules were engineered to exfiltrate valuable information to a remote server.

The packages, by design, are configured to execute immediately post-installation by means of a postinstall hook defined in the package.json file. It triggers the launch of preinstall.js, which spawns index.js to capture the system metadata as well as harvest source code and secrets from specific directories.


The attack culminates with the script creating a ZIP archive of the data and transmitting it to a predefined FTP server.

While the exact goals of the campaign are unclear, the use of package names such as binarium-client, binarium-crm, and rocketrefer suggest that the targeting is geared towards the cryptocurrency sector.

“The cryptocurrency sector remains a hot target, and it’s important to recognize that we’re not just grappling with malicious packages, but also persistent adversaries whose continuous and meticulously planned attacks date back months or even years,” security researcher Yehuda Gelb said.