Researchers have uncovered a batch of malicious packages in the NPM repo that quietly racked up over 6,000 downloads before anyone noticed. These weren’t your typical cryptominers or info-stealers. They were designed to crash systems, wipe files, and corrupt data—sometimes all at once.
NPM is a massive public repository where developers share and download JavaScript packages. It’s used by millions, which makes it a prime target for attacks like this.
The packages were disguised to look like common JavaScript tools used with frameworks like Vue, React, and Vite. Under the hood, they carried payloads that could take out local files, trash browser storage, or force a system shutdown. Some were subtle, corrupting things like auth tokens and app settings to create weird, hard-to-trace bugs. Others went straight for the jugular, deleting framework files and killing machines outright.
All of this went live with zero fanfare. Some of the code was set to trigger on specific dates in 2023 and 2024, but at least one payload has no end date, meaning it’s still active. Just installing the wrong package could be enough to blow a hole in your system.
The person behind the uploads used an account that also posted clean, working packages—nothing malicious—just to build trust. That mix of good and bad code helped them stay under the radar. No replies came from the email tied to the account.
The affected packages closely mimic real tools, which makes them easy to overlook. The known list includes:
- js-bomb
- js-hood
- vite-plugin-bomb
- vite-plugin-bomb-extend
- vite-plugin-react-extend
- vite-plugin-vue-extend
- vue-plugin-bomb
- quill-image-downloader
If any of these made it into your project, check your systems. These weren’t just slip-ups or experiments. They were built to break things, and they do.
