Infostealer Campaign Compromises 10 npm Packages, Targeting Developers

In March 2025, researchers discovered that 10 npm packages had been updated with malicious code designed to steal environment variables and other sensitive data from developers' machines.

The attack specifically targeted cryptocurrency-related packages, including the popular "country-currency-map", which had thousands of weekly downloads.

How the Attack Worked

Security researcher Ali ElShakankiry from Sonatype identified the threat. The malicious code was heavily obfuscated and hidden inside:

• /scripts/launch.js

• /scripts/diagnostic-report.js

When the compromised package was installed, these scripts executed and stole environment variables from the infected system. The stolen data was then sent to a remote endpoint:

• eoi2ectd5a5tn1h.m.pipedream(.)net

Environment variables are a prime target because they often store API keys, database credentials, cloud access tokens, and encryption keys. Exfiltrating this information can lead to further security breaches across multiple platforms.

Why This Matters

While the infected packages have since been removed from the npm registry, this attack underscores the growing threat of software supply chain compromises. Developers should:

✅ Regularly audit dependencies in their projects

✅ Monitor updates and security advisories

✅ Use code security scanning tools

✅ Limit permissions for sensitive tokens and store them securely

Past Attacks and Lessons Learned

This isn't the first time npm has been targeted. Previous incidents include:

Typosquatting campaigns that stole developers' SSH keys

Compromised npm libraries used by crypto exchanges

As supply chain attacks become more sophisticated, developers must be proactive about securing their dependencies and minimizing risks.

Stay vigilant and prioritize security in your development workflow.🔍