33 Malicious npm Packages Abuse Dependency Confusion to Profile Developer Environments
Microsoft Threat Intelligence uncovered 33 malicious npm packages that exploit dependency confusion to deploy a reconnaissance payload targeting developer environments across nine organizational scopes.
Microsoft Threat Intelligence has identified an active supply chain attack involving 33 malicious npm packages that abuse the dependency confusion technique to profile developer environments. Published under three maintainer aliases — mr.4nd3r50n, ce-rwb, and t-in-one — the packages impersonate internal corporate namespaces across nine organizational scopes, including @cloudplatform-single-spa, @sber-ecom-core, and @capibar.chat. The campaign, detected on May 28 and 29, 2026, uses social engineering tactics such as spoofed enterprise metadata and inflated version numbers to trick developers into installing the malicious packages during npm install.
The attack chain begins when a developer runs npm install on a project that resolves to one of the malicious packages. Each package declares a postinstall script in its package.json that executes automatically, downloading a heavily obfuscated JavaScript dropper from an attacker-controlled command-and-control (C2) server. The dropper, approximately 17 KB in size, performs environment fingerprinting, credential reconnaissance, and system profiling across Windows, macOS, and Linux. The payload operates in a "reconnaissance-only" mode, collecting hostnames, environment variables, and developer context, but includes a server-side RECON_ONLY flag that can be toggled for full exploitation in follow-on attacks.
The threat actor employed several techniques to maximize the likelihood of installation. Namespace squatting involved registering packages under scopes that mirror real internal corporate namespaces, such as @payments-widget and @travel-autotests. Package names like svp-baas, enterprise, monitoring, and sberpay-widget target specific internal services. Spoofed enterprise metadata in package.json fields — including repository URLs pointing to fake GitHub Enterprise instances and Jira portals — lends an air of legitimacy. Inflated version numbers, such as 100.100.100 used by mr.4nd3r50n, ensure the malicious package wins dependency resolution over any real internal package.
The postinstall hook executes an obfuscated JavaScript stager that uses obfuscator.io-style anti-analysis techniques, including string array encoding and control flow flattening. The stager connects to the C2 endpoint via HTTPS GET request, downloads the reconnaissance payload, writes it to a temporary directory, and spawns a detached process. The payload includes cache-based deduplication to evade repeated-execution monitoring and platform-specific delivery mechanisms. The two-phase design allows the attacker to conduct reconnaissance first and potentially deploy more destructive payloads later by toggling the RECON_ONLY flag server-side.
Microsoft has reported the malicious packages and maintainer accounts to the npm team, which has taken them down. The campaign highlights the ongoing risk of dependency confusion attacks, where attackers publish packages with names that match internal corporate packages but with higher version numbers, exploiting misconfigured package managers that prioritize public registry versions over private ones. Developers and organizations are advised to use strict dependency pinning, implement registry-scoped resolution, and audit package.json files for suspicious postinstall scripts.
The attack underscores the sophistication of modern supply chain threats, combining social engineering, obfuscation, and a modular two-phase design. With the ability to toggle between reconnaissance and exploitation, the campaign poses a significant risk to organizations that rely on npm for internal development. Microsoft continues to monitor for related activity and recommends that developers verify package authenticity before installation.