RL researchers detected new malicious npm packages: eslint-format (secure.software/npm/packages/e…) react_code_format: (secure.software/npm/packages/r…) @okdev/boiler_plate (secure.software/npm/packages/@…). They are very simple, but capable of sending files content using WebSocket. More in the 🧵👇

Once packages are installed, postinstall script runs a malicious payload. First, it uploads content of files located in current directory over a WebSocket. Then it starts monitoring them for any change. If some file is created, deleted or something inside has been changed, that information and a new content of a file is sent again: sending_change (sending_change.png) connecting_to_socket (connecting_to_socket.png)