The malicious package, named pycord-self, mimics the legitimate discord.py-self library, a widely used Python wrapper for the Discord user API. The legitimate package was released on April 8, 2023, whereas the malicious one appeared on June 20, 2024.

The packages – @async-mutex/mutex, dexscreener, solana-transaction-toolkit, and solana-stable-web-huks – exploit typosquatting to deceive developers into downloading them. These packages steal sensitive data and drain victims’ wallets.

Over the last year, researchers at Socket observed and identified malicious packages leveraging Out-of-Band Application Security Testing (OAST) services such as oastify[.]com and oast[.]fun to exfiltrate sensitive data to attacker-controlled servers.

The threat actor, identified as “k303903” on npm registry, disguised malicious packages — windows-confirm, windows-version-check, downloadsolara, and solara-config — as legitimate tools.

Rspack, a popular high performance JavaScript bundler written in Rust, has been hit with a supply chain attack, affecting two of its npm packages, including @rspack/core and @rspack/cli. Versions 1.1.7 of both packages are affected.

The attackers released 43 versions of the package within two weeks, a strategy aimed at evading detection by automated tools. Although the malicious package was removed from npm on December 1, its impact was far-reaching.

The malicious packages—babelcl, chokader, streamserch, sss2h, npmrunnall, and node-pyt—were crafted by the threat actor “sanchezjosephine180” to resemble well-known npm libraries such as babel-cli, chokidar, and ssh2.

The incident shows how threat actors exploit trust and human error in the open-source ecosystem, using readily available malware, platforms like GitHub, and communication channels like Discord and Telegram to bypass traditional security measures.

"Fabrice" is designed to steal credentials, create backdoors, and execute scripts on both Linux and Windows systems. On Linux, it downloads and runs shell scripts from a remote server, while on Windows, it executes Visual Basic and Python scripts.