Elf-Stats NPM Christmas Spam Campaign
ID: 95da833b-91bd-522c-9468-5f29c4dce86b
STIX ID: report--95da833b-91bd-522c-9468-5f29c4dce86b
Feed Name: OpenSourceMalware Blog
Date Published: 2025-12-03
Date Updated: 2026-06-20
Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2
A rapid NPM spam campaign named “Elf-Stats” has published dozens of Christmas-themed packages (36–40 packages across ~23 user accounts) that contain malicious payloads; early samples used index.js to POST data to an attacker endpoint, while later samples abuse package.json postinstall scripts to exfiltrate local /opt files to webhook URLs. The report lists affected package names, user accounts, and example payloads, showing active abuse of the NPM ecosystem to perform data exfiltration when packages are installed.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
