Some pay loads were limited to blasting on specific dates in 2023, but in some cases there was no date for the end of a phase that began in July this year. Pandya said that this means that the threat remains permanent, though in an email he also wrote: “Since all activities have passed (June 2023 – August 2024), today, after the general use of the package, any developer system will shut down, file deletion, and disaster.
Interestingly, NPM user who offered malicious packages, registration email address 1634389031@QQ[.]com, also uploaded working packages in which they do not find any malicious functions. Pandya said that from the point of view of presenting both harmful and useful packages, it has helped to create a “legal status”, which has increased the chances of malicious packages. The questions emailed to this address did not answer.
The malicious packages targeted some of the major ecosystem users for Javascript developers, including the rectun, the View and the White. The specified package was these:
Anyone who has installed any of these packages should carefully inspect their system so that they are no longer running. These packages imitate fully legitimate development tools, so it can be easier for them to detect it.