Malicious NPM Packages Use Invisible Dependencies to Evade Detection

The article discusses the rising threat of malicious NPM packages that use invisible dependencies to evade detection and compromise software supply chains. These malicious packages exploit the trust developers place in open-source libraries by embedding harmful code in dependencies that are not immediately visible or easily detected. This tactic allows attackers to infiltrate development environments and propagate malware through widely used software projects. The article highlights the importance of rigorous dependency auditing, improved security practices in software development, and the need for enhanced tools to detect hidden malicious code in package dependencies. It also explores recent incidents and trends in supply chain attacks involving NPM packages, emphasizing the critical role of vigilance and proactive defense mechanisms in protecting the software ecosystem from such sophisticated threats. Developers and organizations are urged to adopt comprehensive security measures, including automated scanning, strict version control, and continuous monitoring of dependencies to mitigate risks associated with invisible malicious code in open-source packages.

This Cyber News was published on www.darkreading.com. Publication date: Wed, 29 Oct 2025 20:55:06 +0000

Cyber News related to Malicious NPM Packages Use Invisible Dependencies to Evade Detection

NPM Malware Campaign Uses Invisible Dependencies to Spread Malicious Code - A recent malware campaign targeting the NPM ecosystem has been uncovered, leveraging invisible dependencies to stealthily spread malicious code. Attackers are exploiting the trust developers place in open-source packages by injecting harmful payloads ...
2 weeks ago Infosecurity-magazine.com

Malicious NPM Packages Use Invisible Dependencies to Evade Detection - The article discusses the rising threat of malicious NPM packages that use invisible dependencies to evade detection and compromise software supply chains. These malicious packages exploit the trust developers place in open-source libraries by ...
2 weeks ago Darkreading.com

'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
1 year ago Bleepingcomputer.com

Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
1 year ago Securitylabs.datadoghq.com

5000+ Malicious Packages Found In The Wild To Compromise Windows Systems - These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, ...
8 months ago Cybersecuritynews.com

Lazarus Hackers Weaponized 6 npm Packages To Steal Logins - The hackers successfully compromised six popular npm packages, injecting malicious code designed to harvest login credentials from thousands of developers and organizations worldwide. A sophisticated supply chain attack orchestrated by the notorious ...
8 months ago Cybersecuritynews.com Lazarus Group

npm 'accidentally' removes Stylus package, breaks builds and pipelines - Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code. BleepingComputer ...
3 months ago Bleepingcomputer.com

Malicious NPM packages fetch info-stealer for Windows, Linux, macOS - A recent cybersecurity investigation has uncovered malicious NPM packages that distribute an info-stealer malware targeting Windows, Linux, and macOS platforms. These packages, hosted on the popular Node Package Manager (NPM) repository, have been ...
1 week ago Bleepingcomputer.com

Three New Malicious PyPI Packages Deploy CoinMiner on Linux Devices - Affected platforms: LinuxAffected parties: Linux users that have these malicious packages installedImpact: Latency in device performanceSeverity level: High. On December 5th, 2023, FortiGuard's AI-driven OSS malware detection system identified three ...
1 year ago Feeds.fortinet.com

175 Malicious NPM Packages With 26,000 Downloads Found in the Wild - A recent cybersecurity investigation uncovered 175 malicious NPM packages that have been downloaded over 26,000 times, posing significant risks to developers and organizations relying on these packages. These malicious packages were designed to steal ...
1 month ago Cybersecuritynews.com

25 Best Managed Security Service Providers (MSSP) - 2025 - Pros & Cons: ProsConsStrong threat intelligence & expert SOCs.High pricing for SMBs.24/7 monitoring & rapid incident response.Complex UI and steep learning curve.Flexible, scalable, hybrid deployments.Limited visibility into endpoint ...
4 months ago Cybersecuritynews.com

Malicious NPM Packages Exploit Ethereum Wallets to Steal Crypto Funds - In a recent cybersecurity alert, researchers have uncovered a series of malicious NPM packages designed to exploit vulnerabilities in Ethereum wallets, leading to significant crypto fund thefts. These packages, masquerading as legitimate ...
2 months ago Thehackernews.com

PhantomRaven Attack Involves 126 Malicious NPM Packages - The PhantomRaven cyberattack has been uncovered involving a staggering 126 malicious NPM packages, posing a significant threat to the software development community. These packages were designed to infiltrate systems by exploiting the widely used ...
1 week ago Cybersecuritynews.com PhantomRaven

3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
2 years ago Securityaffairs.com

Lazarus Adds New Malicious npm Packages with Hexadecimal Encoding - These packages, part of the broader Contagious Interview operation, are designed to evade automated detection systems and manual code audits, marking a significant evolution in the group’s approach to cyber espionage and financial theft. The ...
7 months ago Cybersecuritynews.com Lazarus Group

Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
2 years ago Securityweek.com

Malicious npm and PyPI Pose as Developer Tools to Steal Login Credentials - The researchers noted that the packages employ various exfiltration methods to transmit stolen credentials to threat actors, with react-native-scrollpageviewtest using Google Analytics as its exfiltration channel, while the PyPI packages leverage ...
6 months ago Cybersecuritynews.com

Hackers breach Toptal GitHub account, publish malicious npm packages - In the days that followed, the attackers modified the source code of Picasso on GitHub to include malware and published 10 malicious packages on NPM as Toptal, making them appear as legitimate updates. According to code security ...
3 months ago Bleepingcomputer.com

New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload - These packages act as downloaders, injecting malicious code into locally installed versions of the legitimate ethers package, ultimately creating a reverse shell on the victim’s machine. The threat actor may have been attempting to ...
7 months ago Cybersecuritynews.com

Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data - FortiGuard Labs, Fortinet’s AI-driven threat intelligence arm, has uncovered a series of malicious NPM packages designed to steal sensitive information from developers and target PayPal users. Detected between March 5 and March 14, 2025, these ...
7 months ago Cybersecuritynews.com

Malicious npm Packages Attacking Linux Developers to Install SSH Backdoors - Discovered in early 2025, several malicious npm packages have been masquerading as legitimate Telegram bot libraries to deliver SSH backdoors and exfiltrate sensitive data from unsuspecting developers. The malicious variants—node-telegram-utils, ...
6 months ago Cybersecuritynews.com

Malicious NPM Packages Impersonate Popular Libraries to Steal Credentials, Cryptocurrency - In a recent cybersecurity alert, researchers have uncovered a wave of malicious NPM packages designed to impersonate popular JavaScript libraries. These packages are crafted to deceive developers by mimicking legitimate libraries, but their true ...
2 months ago Thehackernews.com

Misconfiguration and vulnerabilities biggest risks in cloud security: Report - The two biggest cloud security risks continue to be misconfigurations and vulnerabilities, which are being introduced in greater numbers through software supply chains, according to a report by Sysdig. While zero trust is a top priority, data showed ...
2 years ago Csoonline.com Hunters

New Phishing Attack Using Invisible Characters Exploits Unicode Tricks - A new phishing attack technique has emerged that leverages invisible Unicode characters to deceive users and bypass traditional security filters. This sophisticated method involves embedding zero-width spaces and other non-printing characters within ...
2 weeks ago Cybersecuritynews.com

Malicious NuGet packages drop disruptive time bombs - Recently, security researchers uncovered a series of malicious NuGet packages that deploy disruptive time bombs targeting developers and organizations using the NuGet package manager. These packages are designed to remain dormant for a period before ...
5 days ago Bleepingcomputer.com