Malicious npm and PyPi packages have been discovered taking a variety of sensitive data from platform users who work as software engineers. The campaign began on September 12, 2023, when Sonatype’s analysts found 14 malicious packages on npm to be its initial clues. The bottom half of Phylum’s report contains a complete list of the malicious packages deployed during this operation.
After a brief operational pause on September 16 and 17, according to Phylum, the attack has continued and extended to include the PyPI ecosystem.
The attackers have published 45 packages on npm (40) and PyPI (5) since the campaign began, with variations in the code indicating a quick evolution of the attack. Phylum claims there are at least seven