North Korean fake packages steal secrets in npm

Published on 2026-07-04 | Translated from Spanish

A group of fake software packages, linked to North Korea, infiltrated the npm platform by posing as legitimate tools. The goal was to steal developer secrets, such as access keys and tokens. For the general public, this means that applications or services we use daily could have been compromised without our knowledge, exposing personal or financial data. The conclusion is clear: we must be alert to suspicious updates and only trust verified sources.

malicious npm package infiltration scene, developer workstation with terminal showing fake package installation process, code editor window displaying suspicious Node.js script with hidden token exfiltration function, network traffic visualization demonstrating data being siphoned to external server, glowing red alerts on dependency tree diagram, cinematic cybersecurity visualization, dark interface with neon warning highlights, realistic keyboard and monitor details, photorealistic technical illustration, dramatic low-key lighting emphasizing threat

How the scam operated in the npm ecosystem 🛡️

The attackers published packages with names similar to well-known libraries, such as crossenv instead of cross-env. Once installed, they executed malicious scripts that exfiltrated environment variables, configuration files, and cloud service credentials. This technique, known as typosquatting, exploits developer trust by mimicking popular names. The scope is broad: any project that depended on those packages could have had its supply chain compromised, affecting companies and end users who use the resulting software.

The perfect excuse to update nothing 😅

Now, when your boss asks you to update all project dependencies, you can respond with a serious face: I'd rather not risk a North Korean hacker stealing the office calculator code. Because yes, it turns out that even the most innocent package can be a trap. So you know: before running npm install, double-check the name. Or better yet, stick with the old version that works. Technological laziness, at last, has its upside.