Microsoft on Tuesday issued a warning over the increasing use of Node.js for the delivery of malware and other malicious payloads.
The tech giant has been seeing such attacks aimed at its customers since October 2024 and some of the observed campaigns are still active in April 2025.
The open source cross-platform runtime environment Node.js is popular among developers, allowing them to execute JavaScript code outside of web browsers. However, this also makes it tempting for threat actors, who can leverage it to disguise their malware and bypass security mechanisms.
In one campaign seen by Microsoft, cybercriminals used cryptocurrency-related malvertising to trick users into downloading a malicious installer disguised as a legitimate file from crypto platforms such as TradingView or Binance.
The installer contains a malicious DLL that is loaded to gather basic system information. A PowerShell script then downloads the Node.js binary and a JavaScript file that is executed by Node.js. The routine executed by the JavaScript file includes loading multiple modules, adding certificates to the device, and stealing sensitive browser information.
“These routines might indicate follow-on malicious activities such as credential theft, evasion, or secondary payload execution, which are commonly observed in other malware campaigns leveraging Node.js,” Microsoft explained.
In a different campaign, one involving the ClickFix social engineering technique, the attacker attempted to trick the victim into executing a malicious PowerShell command that would initiate the download and execution of various components, including the Node.js binary to enable the execution of JavaScript code directly in a command rather than running it from a file.
“While traditional scripting languages like Python, PHP, and AutoIT remain widely used in threats, threat actors are now leveraging compiled JavaScript—or even running the scripts directly in the command line using Node.js—to facilitate malicious activity,” Microsoft said.
“This shift in threat actor techniques, tactics, and procedures (TTPs) might indicate that while Node.js-related malware aren’t as prevalent, they’re quickly becoming a part of the continuously evolving threat landscape,” it added.
Related: Vulnerabilities in MongoDB Library Allow RCE on Node.js Servers
Related: Microsoft Warns of New StilachiRAT Malware
Related: Academics Devise Open Source Tool For Hunting Node.js Security Flaws