Hackers Exploit Malicious npm Packages to Attack React and Node.js JavaScript Frameworks

Security researchers from Socket’s Threat Research Team have identified a coordinated campaign of malicious npm packages that specifically target top JavaScript frameworks, including React, Node.js, Vue.js, Vite, and the popular Quill Editor.

Over a span exceeding two years, this sophisticated threat operated covertly within the npm ecosystem, accumulating over 6,200 downloads and putting both development and production environments at risk.

Package Name Mimicry

The attacker, using the npm alias “xuxingfeng” and an associated registration email, employed a strategy of publishing packages that closely mimicked legitimate and commonly-used plugins, a classic case of typosquatting.

Examples include vite-plugin-react-extend which closely resembles the well-known @vitejs/plugin-react and quill-image-downloader, which poses as a variant of established Quill image modules.

By mirroring the naming conventions and utility profiles of highly downloaded packages, the attacker increased the chance of accidental installation by developers, especially in environments where typing errors or autocomplete are common.

Multi-Vector Payloads

What sets this campaign apart is the diversity and depth of its attack vectors. The payloads range from aggressive file deletion and system shutdowns to subtle data corruption, targeting both server-side (Node.js) and client-side (browser) application layers.

Packages like vite-plugin-bomb and vite-plugin-react-extend implemented cross-platform deletion logic using modules such as rimraf (Node.js’ equivalent of Unix’s rm -rf).

According to Socket Report, these scripts recursively deleted key directories and files associated with React, Vue, Vite, and other third-party dependencies.

One package, vite-plugin-vue-extend, featured a seven-phase attack plan, systematically wiping 19 core libraries over several weeks and using randomized intervals to evade detection.

The js-hood package tampered with JavaScript’s own core methods, replacing fundamental Array and String prototype functions with corrupted logic.

For instance, calls to filter(), map(), or split() would silently return random data, leading to nondeterministic application failures that are deeply challenging to diagnose and mitigate.

The quill-image-downloader suite showcased a sophisticated approach to client-side disruption by corrupting all browser storage mechanisms localStorage, sessionStorage, and cookies.

By replacing stored data with randomized characters on a scheduled basis, this vector sabotaged user authentication, preferences, and persistent application states, all while avoiding outright crashes and leaving minimal traces for forensics.

Packages such as js-bomb and vue-plugin-bomb combined system-level shutdown commands (notably, shutdown -s -t 5 on Windows) with file deletion to maximize operational disruption.

The attacks were activated in time-based phases, starting with isolated shutdowns and escalating to broader file destruction and forced reboots.

Several factors contributed to the sustained presence of these packages on npm.

The threat actor bolstered their credibility by publishing non-malicious utilities alongside the harmful payloads, making their profile appear legitimate.

Time-triggered activation, error handling with try/catch blocks, dynamic resolution of target paths, and heavy code minification all contributed to effective evasion of both automated scans and manual review.

The attacks’ activation windowssome tied to specific past and future dates further complicated detection and delayed their operational impact.

Given the strategic targeting of foundational libraries deeply integrated into build pipelines and deployment infrastructure, the consequences for affected teams can be severe: corrupted builds, broken application logic, and unrecoverable data loss.

The delayed, periodic, and progressive nature of these attacks means organizations may only recognize compromises after persistent and unexplained failures surface.

Security professionals are urged to conduct immediate audits of all installed npm dependencies, restore affected environments from trusted sources, and rotate any potentially exposed credentials or secrets.

Continuous monitoring, dependency pinning, and real-time package behavior analysis such as that provided by Socket’s security tools are critical for early detection and mitigation of similar threats.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates