Socket's threat researchers identified a malicious npm package named xlsx-to-json-lh, which has remained undetected for six years. This package mimics a legitimate tool, xlsx-to-json-lc, and is designed to wipe projects upon receiving a remote command. Although it functions correctly for its intended purpose of converting Excel files to JSON, it has been recognized as malware with nearly 500,000 downloads since 2016. The package maintained the original author's metadata and successfully evaded detection until recently, prompting Socket to seek its removal from the npm registry.
Socket's threat researchers have discovered the xlsx-to-json-lh package on npm, which has been hiding in plain sight for six years, waiting for a command to wipe projects.
The malicious package cleverly mirrors a legitimate tool, xlsx-to-json-lc, exploiting its popularity and the carelessness often associated with npm package installations.
Collection
[
|
...
]