The malicious software packages impersonate legitimate JavaScript libraries and components, but upon installation, they run obfuscated code to collect and siphon sensitive files.

Malicious NPM Packages Caught Exfiltrating Kubernetes Config, SSH Keys

The Sonatype Security Research team has identified an ongoing campaign on the npm registry that uses malicious npm packages to steal Kubernetes configuration and SSH keys. So far, at least 14 packages have been found, disguised as legitimate JavaScript libraries. These packages contain obfuscated code that collects sensitive files from the target machine. The packages have been reported to the npm registry admins, but the accounts used to publish them are linked to the domain The packages have low download counts and are considered malicious. Sonatype's products can help detect and block such packages from reaching development builds.

Back to Home


  • No comments yet.