Security News > 2020 > January > Malicious npm package taken down after Microsoft warning
Criminals have been caught trying to sneak a malicious package on to the popular Node.js platform npm.
The problem package, 1337qq-js, was uploaded to npm on 31 December, after which it was downloaded at least 32 times according to figures from npm-stat.
Malicious npm packages, particularly ones installing backdoors, have become a recurring theme in the last year or two.
The thinking behind this attack was simple - upload what appears to be a useful package, wait until the specific target starts using it in their 'build chain', and then update the package with a malicious payload. This kind of ruse puts a lot of pressure on npm's security testers to spot malevolence before any damage is done.
There have been at least four other incidents with malicious packages trying to sneak backdoor attacks on npm users since 2017.