npm Sees Surge of Auto-Generated “elf-stats” Packages Published Every Two Minutes

The Socket Threat Research Team has identified a surge of over 420 potentially malicious packages on npm, many of which adhere to a naming pattern involving "elf-stats" and claim to be generated every two minutes. These packages often contain simple but harmful malware, such as reverse shells and data exfiltration scripts, and are being rapidly removed by npm. The authors behind these packages often lack a history of other contributions, suggesting these accounts were created specifically for this activity. Interestingly, many packages display signs of being associated with French-speaking threat actors, as evidenced by French comments in the code and French domain names. Despite some descriptions framing the activity as testing or challenges, the code is considered unsafe for real environments, and the team continues to monitor and remove these packages while advising users to avoid installing any "elf-stats" packages until further review.