• Cyber Syrup
  • Posts
  • Malicious npm and VS Code Extensions Used in Widespread Supply Chain Attacks

Malicious npm and VS Code Extensions Used in Widespread Supply Chain Attacks

Cybersecurity researchers have uncovered a series of malicious packages uploaded to the npm package registry and Visual Studio Code (VS Code) Marketplace, designed to exfiltrate sensitive data, destroy project files, and distribute further malware

May 27, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Find out why 1M+ professionals read Superhuman AI daily.

In 2 years you will be working for AI

Or an AI will be working for you

Here's how you can future-proof yourself:

  1. Join the Superhuman AI newsletter – read by 1M+ people at top companies

  2. Master AI tools, tutorials, and news in just 3 minutes a day

  3. Become 10X more productive using AI

Join 1,000,000+ pros at companies like Google, Meta, and Amazon that are using AI to get ahead.

Malicious npm and VS Code Extensions Used in Widespread Supply Chain Attacks

Cybersecurity researchers have uncovered a series of malicious packages uploaded to the npm package registry and Visual Studio Code (VS Code) Marketplace, designed to exfiltrate sensitive data, destroy project files, and distribute further malware. These campaigns demonstrate the increasing sophistication of software supply chain attacks, where legitimate developer ecosystems are manipulated to serve as malware delivery channels.

Malicious npm Packages Harvesting System Information

Discovery

Researchers at Socket reported the detection of 60 malicious npm packages uploaded under three now-removed accounts: bbbb335656, cdsfdfafd1232436437, and sdsds656565. These packages featured install-time scripts that were executed automatically when users ran npm install.

Behavior and Capabilities

  • Designed to run on Windows, macOS, and Linux

  • Embedded scripts perform sandbox evasion checks

  • Collect:

    • Hostnames and usernames

    • Internal and external IP addresses

    • DNS server data

    • Network Interface Card (NIC) information

    • User directory paths

All harvested data was exfiltrated via a Discord webhook, allowing attackers to conduct detailed reconnaissance of victim environments. The goal appears to be network mapping and identifying high-value targets for potential follow-up attacks.

Destructive npm Packages Masquerading as Framework Helpers

In a related case, eight more npm packages were found masquerading as utility libraries for popular JavaScript frameworks such as React, Vue.js, Vite, and Node.js. These include:

  • vite-plugin-vue-extend

  • quill-image-downloader

  • js-bomb

  • js-hood

  • vue-plugin-bomb

  • vite-plugin-bomb

  • vite-plugin-bomb-extend

  • vite-plugin-react-extend

Once invoked, some of these packages execute destructive scripts that:

  • Delete critical project files

  • Corrupt JavaScript methods

  • Tamper with browser storage (localStorage, sessionStorage, and cookies)

  • Shutdown the system (js-bomb package)

According to researcher Kush Pandya, the attacker behind these packages, identified as xuxingfeng, also published several legitimate libraries, blurring the line between malicious and trustworthy content.

Phishing via npm and Open-Source JavaScript

Another novel attack combined email phishing with malicious npm packages. Victims received .HTM attachments that embedded JavaScript from jsDelivr, linked to a rogue npm package named citiycar8.

Attack Flow

  1. Victim opens .HTM file

  2. JavaScript loads a second-stage script from the npm package

  3. Generates fake Office 365 login pages using the victim’s email

  4. Credentials are stolen and sent to the attacker

This multi-layered attack used AES encryption, content delivery networks, and URL redirection to evade detection.

Malicious VS Code Extensions Targeting Cryptocurrency Developers

Datadog Security Research revealed another attack campaign involving malicious VS Code extensions designed to steal cryptocurrency wallet credentials, particularly from Solidity developers. The extensions, published by a threat actor named MUT-9332, included:

  • solaibot

  • among-eth

  • blankebesxstnion

Although marketed as vulnerability scanners and syntax tools, they secretly delivered multi-stage malware payloads that:

  • Stole wallet credentials

  • Installed malicious Chromium-based browser extensions

  • Disabled Windows Defender

  • Scanned application data for Discord, browser, and wallet data

A payload was also hidden within an image file hosted on the Internet Archive, showcasing the attacker’s creativity in obfuscation.

Broader Implications and Takeaways

These campaigns highlight the growing complexity and diversity of attacks targeting developer ecosystems:

  • npm Registry is increasingly abused to deliver information stealers, logic bombs, and phishing kits.

  • VS Code Marketplace is being used to infiltrate developer machines, particularly those working with blockchain and cryptocurrency technologies.

Recommendations

  • Use vetted tools for open-source package scanning (e.g., Socket, Snyk)

  • Check package metadata and authorship history

  • Avoid unfamiliar packages, especially those with recent publication dates or limited documentation

  • Audit development environments regularly

  • Educate developers about supply chain threats

Conclusion

These incidents reaffirm that open-source ecosystems are high-value targets for cybercriminals. From stealing data to corrupting systems and tricking users with phishing schemes, attackers are refining their tactics to exploit trust within the developer community. Mitigation requires a proactive security mindset, shared threat intelligence, and collaboration between the open-source community, enterprises, and security researchers.