Malicious Codes found in NPM Packages

December 10, 2021 - As previously discussed here, researchers at JFrog Security have found another 17 malicious packages in NPM (Node.js Package Manager) open repository, where 11 million developers trade more than 1 million packages among each other. Many of them intentionally seek to attack a user’s Discord token (e.g., user credentials) to give the attacker full access to the victim’s Discord account.

The 17 malicious packages appear to have been spread by different threat actors who used varying techniques and amounts of effort to trick developers into downloading malicious wares instead of the benign ones intended.


People downloading open source packages should take extra care in making sure the item they’re downloading is legitimate and not malware masquerading as something legitimate. Larger organizations that rely heavily on open source software may find it useful to purchase package management services.