Malicious modules found in NPM library were downloaded thousands of times

More malicious Javascript code has been found in packages available on the open-source NPM repository, say researchers at ReversingLabs, highlighting the most recent discovery of untrustworthy libraries on open-source sites.

The company said it has found more than two dozen bad packages, dating back six months, that contain obfuscated Javascript designed to steal form data from individuals using applications or websites where the malicious packages had been deployed.

The researchers described it as a “co-ordinated supply chain attack.”

“While the full extent of this attack isn’t yet known, the malicious packages we discovered are likely used by hundreds, if not thousands of downstream mobile and desktop applications as well as websites,” the report says. “In one case, a malicious package had been downloaded more than 17,000 times.”

The attackers are relying on typo-squatting, naming their packages with names that are similar to — or common misspellings of — legitimate packages. Among those impersonated are high-traffic modules like umbrellajs (the fake module is called umbrellaks) and packages published by

Similarities between the domains used to exfiltrate data suggest that the various modules in this campaign are in the control of a single actor, the report adds.

NPM is one of a number of open-source libraries of software packages used by developers in their applications. Others are PyPI, Ruby and NuGet.

The recent discovery of bad code in these libraries only emphasizes the need for application developers to closely vet the code they download from open-source websites. One tool they can use is a javascript deobfuscator to examine obfuscated code — in itself a suspicious sign.

ReversingLabs did that with the suspicious modules it found and discovered that all of them collect form data using jQuery Ajax functions and send it to various domains controlled by malicious authors.

Not only are the names of malicious packages similar to legitimate packages, the websites the packages link to are in some cases well-crafted copies of real sites. This also deceives those who download the packages. For example, this is the fake Ionic page that links to one of the malicious packages discovered by ReversingLabs …


… and this is the real website.

“This attack marks a significant escalation in software supply chain attacks,” says the report. “Malicious code bundled within the NPM modules is running within an unknown number of mobile and desktop applications and web pages, harvesting untold amounts of user data.

“The NPM modules our team identified have been collectively downloaded more than 27,000 times. As very few development organizations have the ability to detect malicious code within open source libraries and modules, the attacks persisted for months before coming to our attention. While a few of the named packages have been removed from NPM, most are still available for download at the time of this report.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.