The malicious npm package eslint-plugin-unicorn-ts-2, uploaded by the user 'hamburgerisland' in February 2024, is a typosquatting attempt targeting the popular ESLint plugin ecosystem for TypeScript. It contains a hidden prompt string intended to mislead AI-driven security scanners by suggesting the code is legitimate and sandbox-tested, thereby attempting to evade automated detection. The package includes a post-install hook script that executes automatically upon installation, capturing environment variables that may contain sensitive credentials such as API keys and tokens. These are then exfiltrated to a Pipedream webhook controlled by the attacker. Although the malicious code itself is not sophisticated—relying on known techniques like typosquatting and post-install hooks—the innovation lies in the deliberate manipulation of AI-based analysis tools, signaling attackers' adaptation to modern security defenses. The package has been downloaded approximately 18,988 times, indicating a significant exposure. The current version is 1.2.1, but the malicious code was introduced in version 1.1.3. This threat emerges amid a growing underground market for malicious large language models (LLMs) that facilitate automated hacking tasks, lowering the barrier for less skilled attackers. The presence of such malware in the npm ecosystem underscores ongoing risks in software supply chains and the need for improved detection methods that account for AI evasion tactics.

For European organizations, this threat poses a significant risk to the confidentiality of sensitive information, especially API keys, credentials, and tokens stored in development environments. The exfiltration of such data can lead to unauthorized access to cloud services, internal systems, and third-party APIs, potentially resulting in data breaches, service disruptions, and financial losses. Organizations heavily reliant on JavaScript and TypeScript development, particularly those using npm packages and ESLint plugins, are vulnerable to supply chain attacks that can propagate malicious code into production environments. The stealthy nature of the attack, leveraging AI evasion techniques, complicates detection and response efforts, increasing the likelihood of prolonged exposure. This can undermine trust in open-source ecosystems and disrupt software development pipelines. Additionally, the threat may facilitate lateral movement within networks if stolen credentials grant access to internal resources. The medium severity reflects the balance between the ease of exploitation (automatic execution on install) and the potential for significant data compromise. European companies with cloud infrastructure and DevOps practices integrating npm are particularly at risk.

European organizations should implement strict supply chain security measures, including the use of package integrity verification tools such as npm audit, Snyk, or similar solutions that can detect malicious post-install scripts. Developers should avoid installing packages from untrusted or unknown publishers and prefer packages with verified maintainers. Employing allowlists for npm packages and restricting post-install scripts via npm configuration can reduce risk. Security teams should enhance AI-based detection tools by training models to recognize deceptive prompt strings and other evasion tactics. Continuous monitoring of environment variables and network traffic for unusual exfiltration attempts, especially to external webhooks like Pipedream, is critical. Implementing secrets management solutions to avoid storing sensitive credentials in environment variables accessible to development tools can limit exposure. Regularly updating dependencies and removing unused packages will reduce the attack surface. Finally, fostering developer awareness about supply chain threats and encouraging code reviews for third-party dependencies can further mitigate risks.