Researchers identified two malicious NPM packages, naya-flore and nvlore-hsc, posing as WhatsApp development tools and containing destructive code. These packages, published in the NPM registry, have been downloaded over 1,100 times. Despite removal requests, they remain available, alongside more packages from the same publisher. While other packages might not currently exhibit malicious behavior, they have the potential to activate harmful code. The malicious functionality includes deleting files using the command rm -rf * and a dormant function for exfiltration of sensitive information. Additionally, eleven malicious Go packages were discovered with obfuscation techniques for executing payloads.
The malicious NPM packages, naya-flore and nvlore-hsc, masquerade as legitimate WhatsApp development tools but instead contain destructive code that deletes files from developers' systems.
Socket flagged the malicious packages to the NPM registry after they were downloaded over 1,100 times, yet they remain available despite removal requests.
The packages bear resemblance to legitimate WhatsApp libraries but incorporate harmful functionality that could be activated through an update at any time.
Additional malicious Go packages discovered exhibit string obfuscation techniques for executing external payloads, raising significant security concerns.
Collection
[
|
...
]