ClickCease Beware of 48 Malicious npm Packages Deploying Reverse Shells

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Beware of 48 Malicious npm Packages Deploying Reverse Shells

Rohan Timalsina

November 17, 2023 - TuxCare expert team

In a recent discovery, 48 malicious npm packages have been found lurking in the npm repository. These tricky packages have the power to deploy a reverse shell on compromised systems, which is a serious concern.

What makes this situation even more alarming is that these packages were disguised to look legitimate. They contained obfuscated JavaScript code designed to launch a reverse shell as soon as you install them. This revelation comes from Phylum, a software supply chain security firm, which has been keeping an eye on these devious packages.


Attack Details


The person behind these deceptive npm packages goes by the name hktalent on npm and GitHub. As we write this, two packages uploaded by this individual are still available for download. That means there are still potential threats out there.

So, how does this attack work? Once you install one of these packages, there’s a hidden trap that’s activated. This trap is in the form of an install hook in the package.json file, which runs a JavaScript code. This code secretly establishes a reverse shell connection to rsh.51pwn[.]com, a server controlled by the attacker. If you fall victim to this scheme, your system could be compromised.

Phylum noted that the attacker used a combination of benign-sounding package names and multiple layers of obfuscation to sneakily deploy the reverse shell. It’s a clever tactic aimed at catching unsuspecting users off guard.

But that’s not all. In another concerning revelation, it has come to light that two packages published on the Python Package Index (PyPI) were not what they seemed. These packages, called localization-utils and locute, pretended to be helpful tools for internationalization but had a hidden agenda. They contained malicious code designed to steal sensitive data from the Telegram Desktop application and gather system information.

The devious part here is that these packages retrieved their final malicious payload from a dynamically generated Pastebin URL and sent the stolen information to a channel controlled by an unknown actor on Telegram. This means that even if you think you’re downloading legitimate packages, you might unknowingly expose your data to cybercriminals.




What’s important to understand is that threat actors are increasingly targeting open-source environments. They see these platforms as opportunities to carry out supply chain attacks that can harm numerous users all at once. It’s a sobering reminder of the importance of trust in the open-source community.

So, as you explore the world of open-source software, always exercise caution, check the credibility of packages and their authors, and stay vigilant for any suspicious activity. Your cybersecurity is in your hands!


The sources for this article include a story from TheHackerNews.

Beware of Malicious npm Packages Deploying Reverse Shells
Article Name
Beware of Malicious npm Packages Deploying Reverse Shells
Discover the danger of 48 malicious npm packages deploying reverse shells. Stay vigilant for cybersecurity in open-source software.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter