See for yourself – run a scan on your code right now

Node Package Manager (NPM) is the default package manager for JavaScript that makes it easier for developers to install, update, and manage web project dependencies. In July 2023, GitHub released a security alert about a social engineering campaign targeting personal accounts. On August 15, 2023, The Hacker News reported that North Korean threat actors appeared to be engaging in a sophisticated, targeted attack. 

As attackers continue to deploy these combined social engineering and supply chain attacks, developers should know how to identify npm package exploits. 

What Do NPM Attacks Look Like?

When you aggregate the various announcements, the attacks all follow a similar pattern. 

  • Attackers create fake or takeover real repository or social media accounts, impersonating a developer or recruiter.
  • Using the account, they contact the target and ask to collaborate on public or private GitHub repository. 
  • Target clones the compromised repository and executes contents. 
  • The malicious malware npm packages download and execute the second-stage malware on the victim’s machine. 

Also, you should consider the following:

  • Attackers may hide malicious npms in various software, including media players or cryptocurrency tools
  • Sometimes attackers bypass the repository/cloning step by delivering malicious software through a messaging or file-sharing platform.

In this case, the attack focuses on inability to identify discrete components within the npm. When victims download the software to their machines, they often lack visibility into the packages. For example, more recent attacks appear to monitor machine GUIDS to determine whether the attackers want to issue additional payloads. 

List of Malicious NPM Packages 

Between the original GitHub list and the additional packages from Hacker News, developers should be wary of the following 39 malicious npm packages:

  • assets-graph
  • assets-table
  • audit-ejs
  • audit-vue
  • binance-price
  • binance-prices
  • coingecko-prices
  • btc-web3
  • cache-react
  • cache-vue
  • chart-tablejs
  • chart-vxe
  • cloud-room-video
  • couchcache-audit
  • ejs-audit
  • elliptic-helper
  • elliptic-parser
  • eth-api-node
  • jpeg-metadata
  • other-web3
  • pingan-vue-floating
  • price-fetch
  • price-record
  • progress-player
  • srm-front-util
  • snykaudit-helper
  • sync-http-api
  • sync-https-api
  • tslib-react
  • tslib-util
  • ttf-metadata
  • vue-audit
  • vue-gws
  • vuewjs
  • ws-paso-jssdk
  • ynf-core-loader
  • ynf-core-renderer 
  • ynf-dx-scripts
  • ynf-dx-webpack-plugins


What to Do If You Are a Victim of a Malicious NPM Supply Chain Attack

Although the North Korean atacks appear to target accounts connected to blockchain, cryptocurrency, online gambling, and cybersecurity sectors, all developers should be aware of these supply chain attacks and know how to mitigate risks. 

Just Say “No”

If anyone you don’t already know reaches out to collaborate with you, engage in thorough due diligence. Additionally, GitHub has identified, at minimum, the following malicious GitHub accounts:

  • GalaxyStarTeam
  • Cryptowares
  • Cryptoinnowise
  • netgolden

Further, it has identified the following malicious npm accounts:

  • charlestom2023
  • eflodzumibreathbn
  • galaxystardev
  • garik.khasmatulin.76
  • hydsapprokoennl
  • leimudkegoraie3
  • leshakov-mikhail
  • linglidekili9g
  • mashulya.bakhromkina
  • mayvilkushiot
  • outmentsurehauw3
  • paupadanberk
  • pormokaiprevdz
  • podomarev.goga
  • teticseidiff51
  • toimanswotsuphous
  • ufbejishisol

Review Security Logs

If you’re not sure whether you accepted a repository invite from one of these accounts, you can search your GitHub security log.

Identify Dependencies

Modern applications often incorporate various open-source libraries and frameworks, making it difficult to identify functional elements and data flow paths. By scanning your open source libraries, you can identify malicious packages. For example, your Software Bill of Materials (SBOM) should provide an in-depth explanation of security issues associated with packages so that you can identify and remediate threats. 

Further, if recently published, net-new packages, scripts, or dependencies make network connections during installation, you should engage in further review. 

Recover Affected Machines 

If you identify any malicious npm packages, you can take some of the following steps to recover from the attack:

  • Reset or wipe potentially impacted devices
  • Change passwords
  • Rotate sensitive credentials/tokens

Qwiet AI: AI For Software Supply Chain Attack Mitigation

With Qwiet AI’s Intelligent Software Composition Analysis (SCA) platform, you can quickly scan your source code, detecting all dependencies, to build security into your CI/CD processes. Our Intelligent SBOMs provide visibility into the components that make up your apps, enabling you to proactively and reactively secure your software. You can integrate our preZero platform directly into your existing pipelines, ticketing systems, and development tools, enabling you to find and fix high-priority vulnerabilities while still meeting your software delivery timelines. 

Take our preZero platform for a free spin or contact us today to see how Qwiet AI can help you secure your applications against threats. 


About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit:


See for yourself – run a scan on your code right now