The open-source repository contains a number of malicious npm packages that have been used in supply chain attacks and phishing attempts. The assertions were made by researchers at ReversingLabs, who said in a blog post on Thursday that the packages provide a twofold threat because they harm application end users while also aiding email-based phishing attempts, which primarily target Microsoft 365 users.
More than a dozen malicious npm packages were found, according to software threat analyst Lucija Valenti, and they were posted between May 11 and June 13. These programmes mimicked genuine modules like jquery, which receives millions of downloads every week. Despite having been downloaded about 1000 times, the malicious packages were quickly deleted from npm after being found.