The well-known npm JavaScript package manager and registry is facing an increase in malicious packages. The malicious packages are designed for data-stealing purposes to crypto-mining.

The increases in malicious packages

WhiteSource spotted 1,300 malicious packages on npm in the time period of six months till December 2021. All malicious packages were notified to npm and then removed from the registry.  
  • The report states that 57% of attacks happened during three days of the week - Friday, Saturday, and Sunday.
  • Most of these attacks (81.7%) were reconnaissance, including techniques that involve attackers actively or passively collecting information that may be used in further attacks. 
  • An additional 14% of the attacks were aimed at stealing credentials and other important data.  

The report recommends practicing caution regarding attacks that seek to abuse dependency confusion in npm.

New malicious joinees

Some of the newer malware entrants are named Mos-sass-loader, CSS-resources-loader, Reac1, reect1, Noopenpaint, Azure-web-pubsub-express, Mrg-message-broker, @maui-mf/app-auth, and more.

The attacks and techniques

The report provided information regarding the attacks and techniques used by the attackers.
  • Most of the attacks are categorized into four types such as data stealing, botnets, security research, and cryptomining.
  • Other harmful packages were script kiddies and SEO hacks used by online casinos and erotic websites.


The report shed light on the growing dangers of increasing malware in the npm JavaScript package registry. Experts recommend adopting a zero-trust policy, staying aware of the threat environment, and tracking changes in software packages regularly. Additionally, keep track of all used OSS components.

Cyware Publisher