60 Malicious npm Packages Leak Network and Host Data in Active Malware Campaign socket.dev/blog/60-m…

Socket’s Threat Research Team has uncovered an active campaign in the npm ecosystem that now spans 60 packages published under three npm accounts. Each package carries a small install‑time script that, when triggered during npm install, collects hostnames, internal and external IP addresses, DNS server lists, and user directory paths, then exfiltrates the data to a Discord webhook under the threat actor’s control.