{"id":214820,"date":"2025-05-27T01:10:57","date_gmt":"2025-05-27T06:10:57","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/05\/over-70-malicious-npm-and-vs-code-packages-found-stealing-data-and-crypto"},"modified":"2025-05-27T01:10:57","modified_gmt":"2025-05-27T06:10:57","slug":"over-70-malicious-npm-and-vs-code-packages-found-stealing-data-and-crypto","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/05\/over-70-malicious-npm-and-vs-code-packages-found-stealing-data-and-crypto","title":{"rendered":"Over 70 Malicious npm and VS Code Packages Found Stealing Data and Crypto"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/over-70-malicious-npm-and-vs-code-packages-found-stealing-data-and-crypto2.jpg\"><\/a><\/p>\n<p>As many as 60 malicious npm packages have been discovered in the package registry with malicious functionality to harvest hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint.<\/p>\n<p>The packages, published under three different accounts, come with an install\u2011time script that\u2019s triggered during npm install, Socket security researcher Kirill Boychenko said in a report published last week. The libraries have been collectively downloaded over 3,000 times.<\/p>\n<p>\u201cThe script targets Windows, macOS, or Linux systems, and includes basic sandbox\u2011evasion checks, making every infected workstation or continuous\u2011integration node a potential source of valuable reconnaissance,\u201d the software supply chain security firm <a href=\"https:\/\/socket.dev\/blog\/60-malicious-npm-packages-leak-network-and-host-data\" rel=\"noopener\" target=\"_blank\">said<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As many as 60 malicious npm packages have been discovered in the package registry with malicious functionality to harvest hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. The packages, published under three different accounts, come with an install\u2011time script that\u2019s triggered during npm install, Socket security researcher Kirill Boychenko said in [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1523,1492],"tags":[],"class_list":["post-214820","post","type-post","status-publish","format-standard","hentry","category-computing","category-security"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/214820","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=214820"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/214820\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=214820"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=214820"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=214820"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}