Malicious Code in npm, VS Code Steals Crypto, Data

More than 70 malicious packages targeting JavaScript developers have been uncovered in the npm registry and Visual Studio Code (VS Code) ecosystem, posing a significant threat to software supply chains. According to research, approximately 60 of these were found in the npm package registry, embedded with install-time scripts designed to execute automatically during installation. Once triggered, the scripts collect sensitive system data—including hostnames, IP addresses, DNS configurations, and user directories—and transmit the information to a Discord-controlled endpoint.

The packages were published under three separate user accounts, suggesting a coordinated effort to infiltrate the open-source ecosystem. The attack highlights ongoing concerns about the security of widely used development tools and the challenges in vetting third-party code. While the full scope of the campaign’s impact remains unclear, the discovery underscores the importance of enhanced monitoring and stricter controls for package repositories. Developers are urged to remain vigilant when integrating external code into their projects.