Analysis

A sophisticated supply chain attack has been identified within the JavaScript ecosystem, where malicious npm packages, downloaded over 6,200 times, are targeting popular frameworks like Vite, React, and Vue.js. The threat actor, operating under the alias “xuxingfeng,” employed a dual strategy, publishing both benign and harmful packages to build a facade of legitimacy, with eight malicious packages reportedly still active on the npm registry as of May 22, 2025. These packages utilize typosquatting and name mimicry, such as “vite-plugin-react-extend” mimicking “@vitejs/plugin-react,” to deceive developers. A particularly insidious package, “js-hood,” is designed to corrupt fundamental JavaScript APls, including Array methods (e.g., filter, push, map) and String methods (e.g., split, replaceAll), causing them to return random, unpredictable values at randomized 5-10 minute intervals after August 1, 2023. This subtle data corruption, as opposed to overt system damage, leads to hard-to-diagnose intermittent application failures, posing a significant threat to software integrity and reliability for projects relying on these widely used tools, including Vite which has over 28 million weekly downloads. The campaign demonstrates a multi-faceted threat with varied attack vectors ranging from data corruption to file deletion and system crashes, underscoring critical vulnerabilities in the open-source software supply chain.