Typosquatt alert ! Malicious npm Package: nyc-config
Table of Contents
Recently, we discovered a malicious npm package nyc-config in our internal Open Source Software (OSS) package monitoring dashboard. It involved sending user system data to external domains. It is a possible typosquatt attack against the widely adopted @istanbuljs/load-nyc-config, which boasts ~25M weekly downloads.
Discovery and Analysis
Our automated malware analysis flagged the nyc-config package as malicious due to System Information Exfiltration. Upon manual inspection, we observed that the package’s package.json file contained a preinstall script designed to execute the index.js file during installation step itself. This script was crafted to gather sensitive system information such as:
- Hostname
- Operating system details
- Local and public IP addresses
- Username
- Current working directory
The collected data was then exfiltrated to remote servers controlled by the attacker.
You can view the analysis here - https://platform.safedep.io/community/malysis/01JP01T1WQPNGAG516NDS9A6ST
Community Engagement
Recognizing the severity of this threat, we promptly reported our findings to the Open Source Security Foundation (OSSF) - https://github.com/ossf/malicious-packages/pull/839
Conclusion
This incident underscores the critical importance of being cautious when incorporating third-party packages, ensuring they originate from trusted sources. By staying vigilant and fostering collaborative efforts, we can collectively mitigate the risks posed by malicious actors and fortify the security of our development environments.
- npm
- malware
- typosquatting
- open-source security
Author
SafeDep Team
safedep.io
Share
The Latest from SafeDep blogs
Follow for the latest updates and insights on open source security & engineering
Official jscrambler npm Package Compromised Across Multiple Releases
The official jscrambler npm package (60K monthly downloads) was trojanized starting at 8.14.0 through an npm account or CI compromise. The attacker republished the same Rust infostealer across five...
@marketfront: 25 npm Packages Reuse a Known Lure
On July 1, 2026, npm user marketfront batch-published 25 packages carrying the same README lure SafeDep has tracked across four earlier accounts (mr.4nd3r50n, pik-libs, t-in-one, emcd-vue): "Internal...
nodemon-sudo: an npm Backdoor With No Install Script
nodemon-sudo copies the real nodemon byte for byte, adds nothing malicious to its own code, and injects one extra dependency, tslint-conf, a repackaged pino logger carrying a backdoor. There is no...
The Polymarket Trap: A Fake Arbitrage Bot, Ten npm Accounts, and Four Ways to Deliver an Infostealer
A GitHub repository posing as a Polymarket arbitrage bot accumulated 53 forks before anyone flagged the malicious npm package buried in its dependencies. Behind that repo: ten coordinated npm...
Ship Code.
Not Malware.
Start free with open source tools on your machine. Scale to a unified platform for your organization.