A sign of how risks continually lurk in open-source repositories is the use of malicious npm packages to target developers with the intention of stealing source code and configuration files from victim PCs. Checkmarx, a software supply chain security company, stated in a study provided with The Hacker News that “the threat actor behind this campaign has been linked to malicious activity dating back to 2021.”
They have continued to publish harmful software ever since. The most recent report is a continuation of the same effort, which was exposed by Phylum at the beginning of the month, in which several npm modules were designed to exfiltrate important data to a remote server.