npm malicious JavaScript package

The security team at Node Package Manager (npm) has removed a malicious JavaScript package present in the npm repository, according to This malicious software was observed stealing sensitive data from UNIX systems. The package, named 1337qq-js, was uploaded to the repository on 30th December 2019, and was downloaded at least 32 times over the past two weeks before it was spotted by Microsoft’s Vulnerability Research team.
Jake Moore, Cybersecurity Specialist at ESET:
“It is recommended to remove this particular software but vulnerabilities are predominately identified through the in-built audit feature in npm, which detects previously reported malicious packages. As this threat was unknown before, it makes it far more difficult to predict in future. Even when the Microsoft Vulnerability Research team is there to act as a security blanket, users are advised to always take caution when downloading any files. As we have seen before, every once in a while malicious software may slip through the net and catch people out- but at least this one was caught before it had been out too long and gained any serious traction or made significant damage.”