"The npm packages were uploaded to the registry on July 4, 2025, and accumulated over 9,900 downloads collectively - The multi-stage credential theft operation manifested in the form of various typosquatted packages impersonating popular npm libraries such as TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand. Once installed, the malware serves a fake CAPTCHA prompt and displays authentic-looking output that mimics legitimate package installations to give the impression that the setup process is proceeding along expected lines."
"In each package, the malicious functionality is automatically triggered upon installation by means of a postinstall hook, launching a script named "install.js" that detects the victim's operating system and launches an obfuscated payload ("app.js") in a new Command Prompt (Windows), GNOME Terminal or x-terminal-emulator (Linux), or Terminal (macOS) window. "By spawning a new terminal window, the malware runs independently of the npm install process,""
Ten typosquatted npm packages uploaded July 4, 2025 impersonated popular libraries and amassed over 9,900 downloads. Each package triggers a postinstall hook that runs install.js, which detects the operating system and spawns an obfuscated payload app.js in a new terminal window on Windows, Linux, or macOS. The malware displays a fake CAPTCHA and authentic-looking installation output while fingerprinting victims by IP and sending it to 195.133.79[.]43. It then downloads a 24MB PyInstaller information stealer that harvests credentials from system keyrings, browsers, and authentication services. Four layers of obfuscation and independent terminal execution are used to evade detection.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]