logo

Elf-Stats NPM Christmas Spam Campaign

ID: 95da833b-91bd-522c-9468-5f29c4dce86b

STIX ID: report--95da833b-91bd-522c-9468-5f29c4dce86b

Feed Name: OpenSourceMalware Blog

Threat Score
50/100

Date Published: 2025-12-03

Date Updated: 2026-06-20

Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2

...
...

A rapid NPM spam campaign named “Elf-Stats” has published dozens of Christmas-themed packages (36–40 packages across ~23 user accounts) that contain malicious payloads; early samples used index.js to POST data to an attacker endpoint, while later samples abuse package.json postinstall scripts to exfiltrate local /opt files to webhook URLs. The report lists affected package names, user accounts, and example payloads, showing active abuse of the NPM ecosystem to perform data exfiltration when packages are installed.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.