#NSBCS.090 - Beware of Vibe Coding: Lessons from the Malicious 'nodejs-smtp' NPM Package
Source: NSB Cyber
Beware of Vibe Coding: Lessons from the Malicious 'nodejs-smtp' NPM Package
In the fast-paced world of software development, it's tempting to prioritise speed over scrutiny. We often grab a package from npm that "feels right" – it has a familiar name, a polished README, and promises seamless integration. This intuitive approach, what I call "vibe coding", can lead to disastrous consequences. A recent incident involving the malicious npm package "nodejs-smtp" serves as a stark reminder to be more conscious of our habits.
Discovered by cybersecurity researchers in September 2025, "nodejs-smtp" was uploaded to the npm registry in April by a user named "nikotimon." It cleverly mimicked the legitimate "nodemailer" library, copying its tagline, styling, and documentation to appear trustworthy. With 347 downloads before its removal, the package functioned as an SMTP mailer, compatible with nodemailer's interface, ensuring it passed basic tests without raising alarms. However, beneath this facade lurked a cryptocurrency clipper targeting Windows users of desktop wallets like Atomic and Exodus.
The malware exploited Electron tooling to unpack and modify the wallet applications' "app.asar" files, injecting code that hijacked transactions for Bitcoin, Ethereum, Tether, XRP, and Solana. By overwriting recipient addresses with attacker-controlled wallets, it could silently drain funds. This wasn't an isolated case; it echoed a prior attack via the "pdf-to-office" package, which similarly tampered with wallet scripts. The persistence across reboots and the package's ability to clean up traces made it particularly insidious.
"Vibe coding" – relying on superficial vibes like a package's appearance or quick search results – exposes us to such supply chain attacks. In an ecosystem with millions of packages, threat actors exploit our haste. We assume a clean README means safety, but as this incident shows, deception is easy. The impact? Compromised applications, stolen assets, and eroded trust in open-source tools.
To combat this, individuals and businesses could consider the following:
1. Vet Packages Thoroughly: Before installing, check download stats, recent updates, and maintainer activity on npm or tools like Socket.dev. Avoid low-download packages unless verified.
2. Utilise Security Tools: Run npm audit regularly to scan for vulnerabilities. Integrate tools like Snyk or Dependabot into your CI/CD pipelines for automated checks.
3. Review Source Code: Inspect the GitHub repo for suspicious code, especially in dependencies handling sensitive data.
4. Limit Dependencies: Follow the principle of least privilege; question if you truly need that extra package.
5. Stay Informed: Follow sources like The Hacker News or OWASP for emerging threats, and participate in community forums to share insights.
In an ever-evolving digital landscape, vigilance isn't just a choice — it's a necessity. Commit to these steps, and collectively we can build a more secure and trustworthy software ecosystem for everyone and take #NoStepsBackward.
References: https://thehackernews.com/2025/09/malicious-npm-package-nodejs-smtp.html
What we read this week
Jaguar Land Rover Disrupted by Major Cyber Attack on Production Systems - British automotive giant Jaguar Land Rover (JLR) has suffered a significant cybersecurity incident that has halted global production and retail operations, as reported on 2 September 2025. The attack, claimed by a group of young English-speaking hackers linked to previous breaches like that of Marks & Spencer, has forced factories in the UK, Slovakia, Brazil, and India to shut down, with recovery efforts ongoing. While no data exfiltration has been confirmed, the disruption highlights vulnerabilities in supply chain and manufacturing IT systems. Organisations in the automotive sector should prioritise network segmentation, regular vulnerability scanning, and robust incident response plans to mitigate similar industrial control system threats.
Malicious npm Package Targets Cryptocurrency Wallets with Stealthy Code Injection - Cybersecurity researchers have identified a malicious npm package designed to inject harmful code into desktop applications for cryptocurrency wallets such as Atomic and Exodus on Windows systems, disclosed on 2 September 2025. The package employs advanced stealth techniques to evade detection, including dynamic loading and anti-analysis features, potentially leading to credential theft and fund drainage. This incident underscores the risks in open-source supply chains. Developers and users are urged to verify package authenticity, utilise dependency scanning tools, and implement endpoint protection to safeguard financial software environments.
Lazarus Group Exploits Zero-Day Vulnerability in Financial Sector Attacks - North Korea's Lazarus hackers have leveraged a zero-day flaw to deploy three custom remote access trojans (RATs) against financial and cryptocurrency organisations, as detailed in a report on 2 September 2025. The attack chain begins with social engineering, followed by exploitation for reconnaissance and payload delivery, aiming at data exfiltration and further compromise. This campaign demonstrates the group's evolving tactics amid geopolitical tensions. Targeted entities should enhance threat intelligence sharing, apply timely patches, and deploy behavioural analytics to detect anomalous network activity and prevent espionage-driven intrusions.
Zscaler Latest Victim in Salesforce Supply Chain Data Theft Campaign - Security firm Zscaler has confirmed it was affected by a supply chain attack exploiting compromised OAuth tokens from the Salesloft Drift third-party application, allowing unauthorised data exports from Salesforce instances. The incident, part of a broader opportunistic campaign tracked since August, risks exposing credentials for further attacks like credential stuffing. No ransomware was involved, but it amplifies concerns over third-party integrations. Companies using Salesforce should audit OAuth configurations, revoke suspicious tokens, and enforce zero-trust access controls to secure CRM ecosystems.
Critical SQL Injection Flaw Patched in WordPress Paid Memberships Pro Plugin - A severe unauthenticated SQL injection vulnerability has been fixed in the Paid Memberships Pro plugin for WordPress, impacting versions up to 2.15.1, as announced on 2 September 2025. The flaw enables attackers to inject malicious queries and extract sensitive database information without authentication. With millions of installations, this poses risks of data breaches for membership-based sites. Website administrators should update immediately, sanitise user inputs, and utilise web application firewalls to protect against database manipulation exploits.
ReferencesJaguar Land Rover Cyber Attack: https://www.techradar.com/pro/security/jaguar-land-rover-says-cyberattack-majorly-affected-productionMalicious npm Package: https://thehackernews.com/2025/09/malicious-npm-package-nodejs-smtp.htmlLazarus Group Exploitation: https://thehackernews.com/2025/09/lazarus-group-expands-malware-arsenal.htmlZscaler Salesforce Breach: https://securityaffairs.com/181819/data-breach/palo-alto-networks-disclose-a-data-breach-linked-to-salesloft-drift-incident.htmlWordPress SQL Injection: https://www.webpronews.com/wordpress-theme-vulnerability-exposes-70k-sites-to-csrf-sql-attacks