Researchers at Socket have discovered six new fake npm packages disguised as trustworthy libraries. These packages are designed to steal login credentials, collect cryptocurrency wallet data, and install backdoors that give attackers long-term access to a victim's system.
The fake packages include names like:
is-buffer-validatoryoojae-validatorevent-handle-packagearray-empty-validatorreact-event-dependencyauth-validator
Each one mimics the name of popular and widely used packages to trick developers into installing them, a classic tactic known as typosquatting. Some even came with official-looking GitHub repositories to appear more legitimate.
Although these packages haven't been downloaded thousands of times (just over 300 total so far), their design shows a clear intention to infiltrate development environments quietly and efficiently. The malware inside them can search a computer for browser data, crypto wallet files, and other sensitive information, and then send that data to an external server.
Expert View: OnchainLabs CTO Pedro Barrera on the Bigger Picture
According to our CTO, Pedro, these attacks are part of a much larger and ongoing trend. “It’s not just Lazarus — many hacker groups are constantly spreading malware to gain control over systems,” he explains. “Once infected, your machine can be used for future attacks or to steal sensitive data without you knowing.”
Pedro emphasizes the importance of caution: “Personally, I never download anything if I can’t review the code. But in a company setting, that’s not always realistic. So we look for strong indicators of trust — like open-source repositories with many contributors and at least 10,000 GitHub stars. The more eyes on the code, the safer it likely is.”
He adds that full audits are ideal but often require time and resources. “If you can’t audit every line, rely on well-established projects backed by a strong community.”
Pedro also warns that relying too heavily on third-party code increases your exposure to risk:
"The more dependency code we use, the more chances we have to be hacked — that’s why we’re not using any of them.”
What Can You Do About It?
- Double-check package names before installing anything from npm.
- Stick to trusted sources and avoid libraries with few downloads or unknown maintainers.
- Use tools like Socket’s GitHub app or CLI to scan your code for hidden threats.
- Look for open-source packages with large communities and active contributors.
Make sure your team understands the risks of supply chain attacks and how to spot suspicious behavior.
Even as hackers get smarter, developers can stay ahead by being cautious and using the right tools. The best defense starts with awareness.
