Malicious activity on npm: Hundreds of software packages contaminated with autonomously multiplying malware
The npm ecosystem surrounding Node.js is currently under attack by malware, with hundreds of packages infected and the number now growing to nearly 500. This was revealed by security researchers, who have been tracking the malicious software, which replicates itself, making it a worm.
One of the compromised packages, the "nodejs-smtp" package, was uploaded in April 2025 by the user "nikotimon" using the email address [email protected]. It impersonated the popular "nodemailer" library and was removed after being discovered by Socket researchers in September 2025. About a dozen other packages from the same developer are also affected.
The malware, known to use "TruffleHog" to steal sensitive data such as API credentials and access data for GitHub and the clouds of Google and Amazon, has been found in packages from various sources, including the NativeScript community and even some from the Crowdstrike security company.
Crowdstrike has taken proactive measures to address the issue. They have removed the malicious Node Package Manager (NPM) packages and proactively rotated their keys. The company's platform is not affected by this issue, and their customers remain protected. Crowdstrike is working closely with NPM to conduct a thorough investigation.
Security companies advise developers and DevOps teams to urgently check their development environments and "pin" packages to well-known versions. Developers managing packages on npm should consult the comprehensive list of infected packages and take immediate action if any infected versions are found in their projects. Detailed instructions can be found on StepSecurity's blog post.
It's important to note that the malicious packages were not used by Crowdstrike's Falcon Sensor. The malware sets up a GitHub repository named "Shai-Hulud", a reference to the sandworms in Frank Herbert's "Dune".
This incident serves as a reminder for developers to be vigilant and cautious when managing packages, ensuring they are using trusted and secure versions. By taking immediate action and following best practices, the risk of falling victim to such attacks can be significantly reduced.
