Cycode’s research team discovered three different NPM packages that, on the surface, looked like any other package you’d find in the registry. However, once we dug deeper, we discovered these packages contained obfuscated malicious payloads that would be executed upon installation, collecting details from the host machine and even reaching out to a remote server to fetch even more code to run.
In this blog, we’re going to walk you through how we found these packages, what they do, and why you should care. We’ll break down the whole investigation process, share some key takeaways, and give you the knowledge you need to spot and avoid similar threats in the future.
What Happened?
On December 28, 2024, three malicious packages were uploaded to the NPM ecosystem:
- serve-static-corell – “A lightweight static file server”
- openssl-node – “a utility package designed to resolve compatibility issues between Node.js and OpenSSL”
- next-refresh-token – “a lightweight library for managing and refreshing access tokens in Next.js”
These packages came from different contributors and appeared legitimate at first glance. But underneath their seemingly innocent descriptions, they each contained obfuscated malicious code that executed during installation, allowing attackers to run arbitrary commands on the host machine. They also had one thing in common — they all communicated with the same centralized command-and-control (C&C) server.
Even within a short window of exposure, these packages managed to accumulate thousands of downloads, illustrating just how quickly malicious code can spread through widely used ecosystems.
What Should I Do?
First things first, audit your codebase. Go through your project dependencies and check if any of these packages have been included in the past few weeks. If you find them, remove them immediately.
Next, take a closer look at your network logs, including firewall logs, IDS/IPS logs, or any other relevant network logs in your environment. Since all of these packages communicate with the same server, look for any outgoing requests to 8.152.163.60. Check your logging systems for any connections made to that IP address. If you find anything suspicious, investigate further to ensure your system hasn’t been compromised.
Understanding the scope of the threat requires diving deeper into the technical details. In the following analysis, we’ll leverage both dynamic and static analysis techniques to uncover the behavior of these packages, from their initial execution to the hidden payloads they attempt to deliver.
Technical Details
Detecting Malicious Packages: Where It All Begins
Detecting malicious packages is rarely straightforward. Attackers have become adept at hiding harmful behaviors behind seemingly legitimate functionality. One of the most common ways they achieve this is by leveraging installation scripts. These scripts can run commands before or after the package installation process, allowing attackers to execute arbitrary code on a target machine.
Installation scripts are a common feature in package managers like NPM and PyPI, allowing developers to automate setup tasks before or after the installation of a package. These scripts can be helpful for setting up configur